In my previous jobs as an iOS developer, I used authentication url to redirect the useful resource proprietor to the authroization server internet web page on a browser, which allowed the useful resource proprietor to login after which consent to the scopes, after which redirect again to the redirect url together with a auth code. This move was a black field to me and I assumed that the auth code is unique for the useful resource proprietor. Later forward exchanging this auth code for a entry token, made me assume that the entry token can also be unique for the useful resource proprietor
Quick ahead..
I’ve not too long ago began engaged on a iOS app codebase which makes use of OAuth to manage entry to assets. Specifically we’re utilizing Forgerock AM for id administration. The distinction is that we’re utilizing authenticate url which isn’t a webpage, however quite a http url request.
The move I learn within the code is
- The useful resource proprietor enters consumer id and cross in UITextField.
- The useful resource proprietor credentials are despatched to a authenticate http url request which returns a token id
- Then a name to an authorize http url request is made the place we cross shopper id, codechallenge, code technique since we use PKCE. This endpoint returned a auth code.
- Ultimately one other name to access_token endpoint was made with the authcode and shopper id and codeverifier, which returns an entry token
I used to be shocked, that no consumer id/credential was despatched within the third or fourth step above to the auth server requests.
If no consumer id was despatched to those endpoints, is my earlier assumption that auth code and entry token are unique to a single useful resource proprietor completely fallacious?
Are auth code and entry token not unique to the authenticated useful resource proprietor from the second step?