So, a basic OAuth2 flow using authorization grant type would normally go as follows, (assume OAuth Client=Quora, OAuth Server=Google, for eg. purposes):
- User goes to Client, is redirected to Server sign in page for authentication.
- User logins to Server, and Server returns an authorization_code to Client.
- Client then makes a call with client_id, client_secret and authorization_code to Server to fetch the token.
- Server validates and replies back with token.
- Client can now access api/resources from Server with the token.
Now, if the user already logged in to say, Server first, then tries to access Client,
- How will Client know that user is already logged in to Server, (as client cant access cookies from server domain)?
- From where will the Client get the authorization code to fetch the access token?
Good question. Here's what happens:
- Client is redirected to Server page for authorization.
- Server (Google) has cookies set in the browser for THEIR domain only (from last time), and can see the user's information.
- Server (Google) generates a NEW authorization code, and redirects BACK to the Client webapp with that code.
- The Client app then makes an API call to Server with client_id, client_secret, and NEW authorization code token and gets a new access token.
- Client app then creates a cookie (or uses local storage) to store this new Access Token and keep the user logged in.
来源:https://stackoverflow.com/questions/41769377/oauth-flow-when-user-is-already-logged-in-to-the-oauth-provider