I'm implementing a OAuth2 server, and I have a doubt implementing the authorization_code grant type.
The standard says the authorization call should be a GET call with certain parameters (client_id, response_type, etc.), but it also says the first step has to be showing users a screen to login and to giver permission to the app to access their data.
I created a GET /auth call with the needed params that renders the screen. That form submits a POST /auth call with all the auth params + the username and password of the user.
Then, a middleware takes care of the authentication. If it fails, redirects the user to GET /auth?[auth-params]&[error-message] with an informative error message. If it's successful, then the authorization_grant proceeds, and if everything is correct I redirect the user to the redirect_uri with the authorization code, etc.
Is this the best way to implement this? I'm worried because:
- There's a POST version of the
/authcall, and that's the call that actually does the authorization step. - The standard suggests in case of a wrong user authentication, redirect to the
redirect_uriwith anerror=access_deniedquery parameter, which I don't do (instead I redirect to the login page).
Any tips? Thank you.
PS: I think it's not relevant, but in any case, I'm implementing the server in node with ExpressJS.