Getting Started

Try “OAuth 2.0 Authorization Flow” Using Authlete.

Sign Up

1. Sign up by filling in the registration page.
2. Check your inbox for an email from Authlete, describing instructions on how to try OAuth 2.0 flow.

You can try OAuth 2.0 flow right after the signup. We have prepared:

  • An Authlete service instance on your account,
  • A default OAuth 2.0 authorization endpoint up and running with the instance for testing purposes, and
  • Sample client application settings registered with the instance.

Make an Authorization Request

3. Click "Authorization Endpoint" button in the email you have checked in the previous step.

You will be navigated to a login page for authentication and authorization.

Clicking "Authorization Endpoint" button will make an authorization request to the default authorization endpoint using Implicit Flow. It is equivalent to the URL shown below.<SERVICE_API_KEY>?response_type=token&client_id=<SAMPLE_APP_CLIENT_ID>

Authenticate and Authorize

4. Enter API key and secret of your Authlete service instance into the login form.

"Service Owner Console" button in the email is a link to<SERVICE_API_KEY>, which opens Service Details page of the service.

As a special behavior, the login form accepts the pair of API key and API secret as if it were a valid pair of ID & password of an end-user.

5. Click "Authorize" button in the login form, and your browser will be redirected to the client's redirection endpoint.

You can find an access token in the fragment part of the destination URL like below.<SERVICE_API_KEY>#access_token=SNqzo...&token_type=Bearer&expires_in=86400&scope=

Congratulations! You confirmed the OAuth 2.0 authorization flow works!

Try “Authorization Code Grant Flow”

Try “Authorization Code Grant Flow” in addition to Implicit Grant Flow in the previous section.

1. Enter the following URL (authorization request) to your Web browser and submit it.<SERVICE_API_KEY>?response_type=code&client_id=<SAMPLE_APP_CLIENT_ID>

This request is the same as the previous one except response_type=code. Replace <SERVICE_API_KEY> / <SAMPLE_APP_CLIENT_ID> to the appropriate values in your environment.

2. You will be navigated to the login page. Enter the API key and the secret.

3. Your browser will be redirected to the client's redirection endpoint. Enter the value of SAMPLE_APP_CLIENT_ID to client_id field and click “Submit” button to make a token request.

4. Token response (JSON formatted) will be displayed. There should be values for "access_token" and "refresh_token".

Authorization Server Implementations

In the previous section, you tried the flow using the default implementation of authorization endpoint. For real deployments, you have freedom of choice to implement your own authorization server using Authlete Web APIs.

java-oauth-server is an open-source authorization server written using Authlete Web APIs. It is the reference implementation in Java and a good starting point for your own authorization server implementation.

This reference implementation uses Authlete as its backend so that it can eliminate efforts to set up a database server as storage of authorization data (e.g. access tokens), configuration data of the authorization server itself as well as client application settings communicating with the server.

So you can download and start the authorization server only with a few commands as shown below:

Please check the documents at java-oauth-server for details.

$ git clone
$ cd java-oauth-server
$ vi
$ mvn jetty:run

Please check the documents at spring-oauth-server for details.

$ git clone
$ cd spring-oauth-server
$ vi
$ mvn spring-boot:run

Please check the documents at csharp-oauth-server for details.

$ git clone
$ cd csharp-oauth-server/AuthorizationServer
$ vi
$ dotnet run

Please check the documents at authlete-php-laravel for details.

$ laravel new authorization-server
$ cd authorization-server
$ composer require authlete/authlete-laravel
$ php artisan authlete:authorization-server
$ vi config/authlete.php

If you implement your own authorization server using Authlete Web APIs, you don’t have to implement an authentication callback endpoint, but instead you are required to customize some source files related to end-user authentication.