OAuth2MultiClientIntegrator is a package (although it has not been published) that takes care of the process of obtaining access and refresh tokens for multiple clients of authorization servers with the least user intervention according to the OAuth 2.0 authorization code flow. 

Despite adhering to the general ideas of OAuth 2.0 standard flows, still some companies, such as Google or Facebook, implement the standards with small deviations from the standards. This package not only attempts to integrate different clients wanting to connect to authorization servers through OAuth 2.0 authorization code flow, but it also supports the mentioned differences in implementations. Throughout the following blog posts, you will get familiar with the OAuth2MultiClientIntegrator and its capabilities.

In the beginning, it would be a good idea to become familiar with the OAuth 2.0 authorization code flow. Authorization code flow is one of the OAuth 2.0 authorization flows designed for client-server applications, where the client (usually a web server) interacts with the authorization server on behalf of the end-user. It provides a secure and flexible way for a client to obtain an access token from an authorization server, ensuring that the client can access protected resources on behalf of the end-user. The steps of the mentioned flow are as follows. In the following, the OAuth SDK means every code, package (like ours), library, or tool that is responsible for managing the process.

  1. Initiating Login: The user selects Login within the application.
  2. Redirect to Authorization Server: the OAuth SDK redirects the user to the OAuth 2.0 Authorization Server.
  3. Login and Authorization Prompt: OAuth 2.0 Authorization Server redirects the user to the login page.
  4. User Authentication and Consent: The user authenticates using configured login options, with a possible consent prompt for permissions.
  5. Authorization Code Generation: The OAuth 2.0 authorization Server redirects the user back to the application with a single-use authorization code.
  6. Authorization Code Exchange: OAuth's SDK sends authorization code and application credentials to the OAuth 2.0 Authorization Server.
  7. Verification of Credentials: OAuth 2.0 Authorization Server verifies the authorization code, client ID, and application credentials.
  8. Token Retrieval: OAuth 2.0 Authorization Server responds with an ID token and an access token (and optionally, a refresh token).
  9. Accessing User Information: The application uses the access token to call an API for accessing a protected resource.
  10. API Data Response: The API responds with the requested data.

One thing that you should pay attention to is that OAuth2MultiClientIntegrator only shoulders the responsibility of stages 1 to 8, which are related to obtaining access and refresh tokens. The rest of the process including accessing protected resources is out of the scope of the package.

Now that we have described the OAuth 2.0 authorization code flow, it would be a great idea to describe the functionalities of our package. One way to do so is by categorizing and describing functionalities using use cases. Two major use cases of the package are obtaining access tokens and obtaining refresh tokens. So, in the next parts of this blog post, we discuss the participant components under the context of each use case.