Using Common OAuth2 and OpenID Connect Flows
Authorize Code Flow with Refresh Token
The following command creates an OAuth 2.0 Client capable of executing the Authorize Code Flow, requesting ID and Refresh Tokens and performing the OAuth 2.0 Refresh Grant:
hydra clients create \
--endpoint http://ory-hydra:4445 \
--id client-id \
--secret client-secret \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope offline_access \
--callbacks http://my-app.com/callback,http://my-other-app.com/callback
The OAuth 2.0 Client will be allowed to use values http://my-app.com/callback
and http://my-other-app.com/callback
as redirect_url
.
It's expected that the OAuth 2.0 Client sends its credentials using HTTP Basic Authorization.
If you wish to send credentials in the POST Body, add the following flag to the command above:
--token-endpoint-auth-method client_secret_post \
The same can be achieved by setting
"token_endpoint_auth_method": "client_secret_post"
in the request body of
POST /clients
and PUT /clients/<id>
.
To initiate the flow, redirect the user's browser to the OAuth2 Auth Code URL:
<a
href="https://ory-hydra:4444/oauth2/auth/?client_id=client-id&scope=offline_access&redirect_uri=http://my-app.com/callback"
>
Connect with ...
</a>
Client Credentials Flow
To create a client only capable of performing the OAuth 2.0 Client Credentials flow, use:
hydra clients create \
--endpoint http://ory-hydra:4445 \
--id my-client \
--secret secret \
-g client_credentials