Catch tokend in client app

MichellS · August 7, 2017, 10:00pm

Hi, there’s something that I don’t fully understand, is mainly how to catch the tokens in the client-app. I have Hydra running, a consent app and currently I can perform the whole Oauth2 Process similar as the example Golang-consent-app. Checking this I see in the step 5 that my client application should receive the tokens that comes from hydra.

As the example app, I have a callback function inside my consent app where I print the tokens. So:

1.- This consent app will be used by other many of my applications, is it ok? is suppossed that the consent app will be used not only by one app?

2.- I have registered in the hydra database the client that is used by the consent app, for that client I have registered the callback url in the redirect_uris. Currently that url is pointing to my callback endpoint of the consent app, my question is: to who should I point this redirect if I need to get the tokens in the client app?

Just to be more clear: about the clients registered in Hydra, I have this:

id: consent-app
client_name: Consent App Client
client-secret: $sooomeSeecreet
redirect-uris: https://myConsentApp.com/callback
grant_types: client_credentials|authorization_code|refresh_tok?
response_types: token|code|id_token
scope: openid offline hydra.clients hydra.clients hydra.?
public: FALSE

Also, in the documentation I read:

Hydra validates the consent response token and issues the auth code to the user agent. The user agent is then redirected to the client application at the registered callback uri with the auth code as a parameter: GET https://example.com/callback?code=aaabbbcccddd

I will have lets say 3 clients-applications that I hope can use the same consent app instance, lets say that I have:

For each one of them, I think that I should register a client in the hydra database correct? then, which user should I use in the consent app to connect with hydra?

Thank you very much!

hackerman · August 8, 2017, 7:15am

I’m currently out of office but will take a look in 3-4 days.

hackerman · August 11, 2017, 8:53am

Do you still need help with this or is it resolved?

MichellS · August 11, 2017, 1:21pm

@hackerman Hi! I still need help to be more clear about the clients. The consent app will be used by the many of my applications, each of that application should be registered as a client in hydra.
So, which client-credentials should be used in the consent app? as I see that it’s a general app

hackerman · August 12, 2017, 8:16am

As the example app, I have a callback function inside my consent app where I print the tokens.

This is ok for testing, in the real world the consent app only logs the user in and asks him for permission to grant specific scopes.

1.- This consent app will be used by other many of my applications, is it ok? is suppossed that the consent app will be used not only by one app?

The consent app is the login site of your app(s). It is ok if multiple OAuth2 clients (yours and those of third parties) use the same login site.

2.- I have registered in the hydra database the client that is used by the consent app, for that client I have registered the callback url in the redirect_uris. Currently that url is pointing to my callback endpoint of the consent app, my question is: to who should I point this redirect if I need to get the tokens in the client app?

That depends on your client app. If it’s a mobile app, you should probably point it to some custom url scheme. If it’s a browser app (eg PHP or ReactJS based) you will redirect it to the url which contains the callback logic.

I will have lets say 3 clients-applications that I hope can use the same consent app instance, lets say that I have:

App1.com/callback
App2.com/callback
App3.com/callback

For each one of them, I think that I should register a client in the hydra database correct?

Yes, this is correct. For example, you will have:

id: app-1, redirect-uris: App1.com/callback
id: app-2, redirect-uris: App2.com/callback
id: app-3, redirect-uris: App2.com/callback

then, which user should I use in the consent app to connect with hydra?

Since you only have one consent app, you should use you existing consent-app client.

hackerman · August 12, 2017, 8:19am

For clarification: The consent app is completely independent from the usual OAuth2. The OAuth2 flow works as ever:

Some clients (eg App1) needs an Access Token
It asks the OAuth2 endpoint (Hydra) for such an Access Token
Hydra logs the user in using the consent flow (and thus the consent app, but this is hidden from the rest of the flow)
Hydra tells App1 the authorize code using the provided callback url
App1 exchanges authorize code for access token

MichellS · August 14, 2017, 12:13am

@hackerman Thank your very much!! now everything is clear to me.
One last thing, how do I register many uris for the same client? should I separate them by commas?

That’s all the information that I needed. Again, thank you!

hackerman · August 14, 2017, 6:39am

Glad to be of help, sorry that it took some time to answer your question