Authentication for /oauth20/auth-codes endpoint?

[cat-mucius]

Good day,

As far as I see in the code, the custom authentication class (implementing IUserAuthentication) is called only from AuthorizationServer.issueAccessToken() and only when grant_type=password. No authentication checks are made in AuthorizationServer.issueAuthorizationCode().

Do I miss something obvious here? Shouldn't a user be authenticated before he can get authorization code on behalf of an app (client)?

Thanks,
Mucius.

[rossitsaborissova]

Hello, First, thanks for your interest in the ApiFest project. Your question is very reasonable. At the moment no custom authentication is called in the authorization code flow, however we will consider it. The authorization code flow includes a redirection of the resource owner(user) to the authorization server where she/he authenticates and then on success the resource owner is redirected back to the client app with an authorization code (issued in the backend). That's why ApiFest currently is not designed to call custom authentication in that flow. The authentication is left completely to the authorization server. You can see more in the RFC - https://tools.ietf.org/html/rfc6749#section-1.3.1 If you have further questions or face any issues, do not hesitate to send them to the [email protected] mail group. Please, note that this flow is not used by our clients at the moment (they all use grant_type password), so we might have missed something. Best regards, Rossitsa Borissova

…

On Wed, Apr 19, 2017 at 12:44 PM, Cat Mucius ***@***.***> wrote: Good day, As far as I see in the code, the custom authentication class (implementing IUserAuthentication) is called only from AuthorizationServer. issueAccessToken() and only when grant_type=password. No authentication checks are made in AuthorizationServer.issueAuthorizationCode(). Do I miss something obvious here? Shouldn't a user be authenticated before he can get authorization code on behalf of an app (client)? Thanks, Mucius. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#82>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD4YuRDlAlbioChFeX52OmX0Re-E90Hoks5rxddmgaJpZM4NBcQ1> .