Hi Imesh Gunaratne, I am struggling a little bit to understand the Authorization Code Grant. Let me try and describe my confusion.
My understanding from your article is that:
- browser redirects user to auth server
- user authenticates using his/her credentials
- auth server redirects user to client (backend) with authorization code
- backend uses this authorizarion code along with client creds to fetch an access token and refresh token from auth server
- let’ say now client displays a “welcome page” to user
- User clicks on a button to fetch some data from a resource provider.
How does this work? The button is on the browser. And so far browser doesn’t have any tokens, codes or secrets stored. So it sends an unsecured request to backend? But that can’t be the case because that means backend has unsecured open endpoints.
I must be missing something.. I just cant figure out what it is.