Handle OAuth2 authentication failure using Apigee proxy

Question

I've written my own login app to protect my api following the oauth-login-app example.

I've implemented the web server flow and everything works great.

My question is: how should I handle an authentication failure at step 3? How do I tell he client app that the authentication failed? The user could either press the cancel button, or refuse permission or just enter the wrong details.

Answer 1

When you initiate OAuth 2.0 (dance) with

/authorize

1. the user-agent land on /login page (created/hosted by you), post redirect.
2. enduser(user-agent) submits the username/password to the page hosted by you. Here you collect the credentials and submit to Apigee, and if authentication fails, send a HTTP 401 response. Now your application should be in position to re-render the login page and with a flash "invalid credential".
3. Now coming to if user is authenticated but rejects the authorization request in consent page, you should redirect to the "redirect_uri" provided by client, with error code.