Consumer application authorization url generation

I have followed the " Implementing Login, Consent & Logout UI" guide and I have successfully implemented a Login Provider and Consent Provider in .NET using the “Installation and Setup” guide.
So instead of Hydra pointing to the Login & Consent Example App it now points to my .NET Core service, this all works fine and makes sense to me.

What doesn’t make much sense to me is the last part:

Perfect, let’s perform an exemplary OAuth 2.0 Authorize Code Flow! To make this easy, the ORY Hydra CLI provides a helper command called hydra token user . Just imagine this being, for example, passport.js that is generating an auth code url, redirecting the browser to it, and then exchanging the authorize code for an access token

As I can see this generates an url with a nonce, a state and the client-id and this redirects to my .NET application (well it first redirects to Hydra). This is just a “example app” and usually this would be the consumer application.

I don’t understand how this URL is generated and how it is secured with the client-id and client-secret?
An OAuth client is registered with a client-id and secret, and my guess is somehow this nonce and state are derived form this? Or do i have to call Hydra (with client-id and secret) and let it generate an url?

My concrete questions are:

  • How do i generate a URL in my consumer application?
  • How is this secured with the client-secret/id?

You would want an OAuth2 Library for that: