I wanted to implement OAuth 2 Code Flow with PKCE by help of IdentityServer. Currently, mobile users put their user/password only in the mobile app. They do not redirect to other pages via browsers or popups. When I use Postman to test APIs, I just call some APIs to get access token. I want no major changes on this part too. I do not like a call back endpoint in my side or a popup window in the postman.
Seems that Code Flow cannot be implemented without redirections. In the other hands, the user/pass should be entered in the authentication provider directly. My searches for followings was not helpful:
- identityserver oauth2 code flow login without redirect
- identityserver code flow embed login page
A work-around is to embed login page but not sure if it is possible. Postman has an internal mechanism for oauth 2 logging in. It includes entering clientId and client secret then a popup is opened to enter user/pass. However, I was in search of simulating this by several API calls. As my back-end is .Net, I tried to use IdentityServer. I used templates to create a sample application.
Useful resources I found during this search:
- Any ways to get authorization cookies without redirection to IS4 #3858 +
- OAuth2 Flow: Reason for sending auth code via redirect
- What's the right OAuth 2.0 flow for a mobile app
- Identityserver4 with SPA without redirecting to Login Page
- imgur oauth
- Identity server & oauth 2.0
- +
- Is it possible or does it make sense to use OAuth 2.0 CodeFlow PKCE for an internal authentication provider?
- OAuth 2.0: Implicit Flow is Dead, Try PKCE Instead
- OAuth 2.0 flows explained in GIFs
- Which OAuth 2.0 Flow Should I Use?