As Roland said, if you go through speculation, it's pretty straight forward.
At a high level, this is what you will need to do to support the AuthCode grant template:
Assuming: Your application is owned by users.
- Provide client / secrets to each of the third-party applications.
- On your server, create endpoints for
When a client enters the authorization endpoint, as shown below:
/authorize?response_type=code&client_id=<clientID>&state=xyz&redirect_uri=http://thirdparty.com
- Redirect the client to the login page.
- Confirm the username / pwd provided by the user.
- If successful, call third-party clients by redirecting the URI using authCode.
- In the event of a failure, call third-party clients that redirect the failed URIs (pre-published).
The callback is here https://thirdparty.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
The client will call URI / token using authcode with something like below:
/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://thirdparty.com
Create a token, save it with the clientID, UserId and respond to the token. Something like below
{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
When a third party accesses your services / resources, checks the token on the client and user ID and grants or denies access.
This is for starters, but you can do a lot more settings that you can use with scope and other OAuth2 templates.