0

I have spun up the example-oauth-server and am trying to exercise the implicit flow - I have followed the directions in the documentation and have done the following

step 1 - registered the client; made sure that there was no requirement for client secret. step 2 - opened a REPL and did the following

>>> from authlib.client import OAuth2Session
>>> client_id = 'MY CLIENT ID'
>>> scope = 'profile'  # we want to fetch user's email
>>> session = OAuth2Session(client_id, scope=scope)

>>> authorize_url = 'http://localhost:5000/oauth/authorize'
>>> uri, state = session.authorization_url(authorize_url,response_type='token')

Next step is to get an authorization response. I dont seem to be able to get that. print(uri) does not give me the access token in the URL response because it is not the authorization response.

i know i need to call session.fetch_access_token(authorization_response);

my confusion is what do I pass to fetch_access_token when I didnt get the authorization_response.

I know I am missing something minor... any advice.

cricketgod
  • 1

1 Answers1

0

Print the uri you get from authorization_url, and visit this uri in your browser. And in the browser, grant your authorization, it will redirect back to your configured redirect_uri.

When redirect finished, you will get an authorization_response.

Remember to create the client with "none" token_endpoint_auth_method.

lepture
  • 2,307
  • 16
  • 18
  • Yes I did that and I keep getting "unauthorized_client" "The client is not authorized to request an authorization code using this method" My confusion is I know that there is no need for authorization code in implicit and I specifically created the client without a client secret. – cricketgod Apr 25 '18 at 17:28
  • One more clarification - the authorization code grant flow type works well. My next challenge (other than seeing implicit flow working) is to obtain a refresh token and the present the refresh token to obtain a new access token. – cricketgod Apr 25 '18 at 21:16
  • @cricketgod Implicit is a little tricky, it requires a client without client_secret. – lepture Apr 26 '18 at 09:26