This is part of the authorization flow that takes the user’s credentials and redirect back authorization code to the webserver through a user agent (browser or mobile phone). The web server will use the authorization code along with client_id and client_secret to get the access token and refresh token.
In this tutorial, we are using the curl command to access the service for demo purposes. In reality, this should be done by a login view single page application. The light portal https://signin.lightapi.net is an example of a login view.
When the GET endpoint is used, it provides a popup window on the browser to ask username and password. And there is no need to create a login page and error page. This is the most simple approach but with a lot of limitations. For production usage, a form-based login application with a POST endpoint is recommended.
The POST endpoint is usually used when you want to have a customized login application to make sure users have the same experience as they browse other parts of your web server. The browser will have a login form to collect user credentials and posts it to the OAuth2 server /oauth2/code endpoint. Once the user is authenticated, an authorization code is redirected back to the browser with a redirect URI passed in from the request, or the default redirect URI for the client will be used from client registration. As you might guess, this endpoint requires customization most of the time on the login page and error page. The default login view application is provided as a starting point to make your customized login application.
There is only one bootstrap admin user after the system is installed, and the default password is “123456”. The password needs to be reset immediately with User Service for production.
To get authorization code put the following URL into your browser.
If this is the first time you hit this URL on the browser, you will have a popup window for user credentials. Now let’s use admin/123456 to login given you haven’t reset the password yet for the admin user. If you have logged in recently, your credentials are cached and no popup window will show up.
Once authentication is completed, an authorization code will be redirected to your browser’s address bar—something like the following. Don’t worry about the error This site can't be reached because you don’t have a server to serve the http://localhost:8080 locally. What we are doing here is just demonstrate the flow of the Authorization code flow, and the real application will be started from a browser application.
If you want to call the get endpoint from your command line or script, you can put the user credentials into the header in the command. The light-oauth2 code service GET endpoint accepts Basic authentication in the Authorization header in base64 format, so we need to encode the admin:123456 into base64. There are some online encoders available and here is one: https://www.base64encode.org/
After encoding the credentials, we got YWRtaW46MTIzNDU2. Here is a sample curl command with -v to output the redirect 302 response. If there is no -v, then the result is empty on the terminal.