This is a basic proof of concept repo I created to play around with the OAuth2.0 client credentials flow.
This project uses the Serverless Framework and Node.js to create an API Gateway in AWS. It also uses Okta as its OAuth2.0 authentication server.
- The client requests the
/authorize
endpoint of the API with a base64 encoding of their client credentials as anAuthorization
header.- e.g.
echo -n clientid:clientsecret | base64
in Linux
- e.g.
- If the authorization server recognizes the client id/secret combo as valid, it will return an
access_token
in the its response. Otherwise, it will return a 401.- The
/authorize
endpoint can be called at any time to receive a new access token. - Each access token is valid for one hour.
- The
- In order to reach the other endpoints in the API, the client must include the
access_token
as anAuthorization
header in all requests.- Each endpoint other than
/authorize
is wrapped in a token validator which reads thisAuthorization
header and ensures the passedaccess_token
is valid before passing execution to the called endpoint. - If the
access_token
is not valid, the token validator will return a 401 and execution will not be passed to the called endpoint.
- Each endpoint other than