Skip to content

OAuth flow: authorization code

Source: R/oauth-flow-auth-code.R
oauth_flow_auth_code.Rd

These functions implement the OAuth authorization code flow, as defined by rfc6749, Section 4.1. This is the most commonly used OAuth flow where the user is opens a page in their browser, approves the access, and then returns to R.

oauth_flow_auth_code() is a high-level wrapper that should work with APIs that adhere relatively closely to the spec. The remaining low-level functions can be used to assemble a custom flow for APIs that are further from the spec:

  • oauth_flow_auth_code_url() generates the url where the user is sent.

  • oauth_flow_auth_code_listen() starts an webserver that listens for the response from the resource server.

  • oauth_flow_auth_code_parse() parses the query parameters returned from the server redirect, verifying that the state is correct, and returning the authorisation code.

  • oauth_flow_auth_code_pkce() generates code verifier, method, and challenge components as needed for PKCE, as defined in rfc7636.

Usage

oauth_flow_auth_code(
  client,
  auth_url,
  scope = NULL,
  pkce = TRUE,
  auth_params = list(),
  token_params = list(),
  host_name = "localhost",
  host_ip = "127.0.0.1",
  port = httpuv::randomPort()
)

oauth_flow_auth_code_url(
  client,
  auth_url,
  redirect_uri = NULL,
  scope = NULL,
  state = NULL,
  auth_params = list()
)

oauth_flow_auth_code_listen(host_ip = "127.0.0.1", port = 1410)

oauth_flow_auth_code_parse(query, state)

oauth_flow_auth_code_pkce()

Arguments

client

An oauth_client().

auth_url

Authorization url; you'll need to discover this by reading the documentation.

scope

Scopes to be requested from the resource owner.

pkce

Use "Proof Key for Code Exchange"? This adds an extra layer of security and should always be used if supported by the server.

auth_params

List containing additional parameters passed to oauth_flow_auth_code_url()

token_params

List containing additional parameters passed to the token_url.

host_name

Host name used to generate redirect_uri

host_ip

IP address web server will be bound to.

port

Port to bind web server to. By default, this uses a random port. You may need to set it to a fixed port if the API requires that the redirect_uri specified in the client exactly matches the redirect_uri generated by this function.

redirect_uri

URL to which user should be redirected.

state

Random state generated by oauth_flow_auth_code(). Used to verify that we're working with an authentication request that we created. (This is an unlikely threat for R packages since the webserver that listens for authorization responses is transient.)

query

List of query parameters returned by oauth_flow_auth_code_listen().

Value

An oauth_token.

See also

Other OAuth flows: oauth_flow_bearer_jwt(), oauth_flow_client_credentials(), oauth_flow_device(), oauth_flow_password(), oauth_flow_refresh()

Examples

client <- oauth_client(
  id = "28acfec0674bb3da9f38",
  secret = obfuscated(paste0(
     "J9iiGmyelHltyxqrHXW41ZZPZamyUNxSX1_uKnv",
     "PeinhhxET_7FfUs2X0LLKotXY2bpgOMoHRCo"
  )),
  token_url = "https://github.com/login/oauth/access_token",
  name = "hadley-oauth-test"
)
if (interactive()) {
  token <- oauth_flow_auth_code(client, auth_url = "https://github.com/login/oauth/authorize")
  token
}