I am using the OAuth to obtain an access token from Microsoft Graph. I am specifically using the Authorization Code grant type. The first step is to request a Code via an HTTP GET. The code is then used in a second HTTP POST API call along with the client_id
and client_secret
.
What is confusing me is how the Authorization Code is being delivered. It is returned as part of the HTTP Headers named Location.
Is this expected? I was looking for it in a response body similar to how an access_token
is returned. Is returning the Code via the Location
header expected?
AUTHORIZATION CODE FLOW
This flow is very standard for browser clients, so behaviour looks correct:
TESTING THE CODE FLOW
The Code Flow is tricky to test in tools like Postman. Have a look at OAuth Tools as a better alternative - see also this video.
Here are some values of mine you can use as a first step:
You can then update to your own settings and do the same thing with a test user. Then scroll down and select the 'Redeem Code' option, and use the client_secret_post option to swap the code for tokens. Then view the JWT details etc.
One problem is that my Azure AD client is a Single Page App and Azure AD requires this header to be added to the curl request during the redeem step. Not sure if you will face that problem and I will see if I can get the tool updated to allow extra headers etc to be typed in.