Added information about auth code exchange to oauth2 docs #392
Conversation
There wasn't any information about the auth code exchange, nor the required headers for that call. I've added this to the flow steps already present. Not sure if this is the appropriate location for it, lemme know if I need to move this to another document.
| [API Docs](http://docs.hdyra.apiary.io/#reference/oauth2/oauth2-token-introspection). |
There was a problem hiding this comment.
not sure why this line is listed as a change... I made this update in the Github UI if that helps at all.
|
Thanks, looks pretty solid. I'll take a closer look next week! |
docs/oauth2.md
Outdated
| POST https://hydra.myapp.com/oauth2/token | ||
| Authorization: Basic BASE64_ID_SECRET_PAIR | ||
| Content-Type: application/x-www-form-urlencoded | ||
| client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=aaabbbcccddd&redirect_uri=https://example.com/callback&grant_type=authorization_code |
There was a problem hiding this comment.
You don't need to include client id and client secret in the POST body, it is enough when provided via basic auth :)
docs/oauth2.md
Outdated
| client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=aaabbbcccddd&redirect_uri=https://example.com/callback&grant_type=authorization_code | ||
| ``` | ||
|
|
||
| *Note:* if your *client* application needs to exchange a refresh token for a new access token, this request should alter the `grant_type` and `code` parameters: |
There was a problem hiding this comment.
Maybe make it clear that this is a separate thing? Because you can't use the auth code, only a refresh token. Maybe as a new bullet point?
docs/oauth2.md
Outdated
| POST https://hydra.myapp.com/oauth2/token | ||
| Authorization: Basic BASE64_ID_SECRET_PAIR | ||
| Content-Type: application/x-www-form-urlencoded | ||
| client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&redirect_uri=https://example.com/callback&grant_type=refresh_token |
There was a problem hiding this comment.
Same as above, client_id/secret are only required in the authorization header :)
|
Hey @arekkas! I'll get those changes in today and update this PR once ready. |
per PR review
|
@arekkas I updated the PR, should be good for another pass. |
|
Thank you for your contribution! |
There wasn't any information about the auth code exchange, nor the required headers for that call. I've added this to the flow steps already present.
Not sure if this is the appropriate location for it, lemme know if I need to move this to another document.
context: #385 (comment)