Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Best practice for OAuth2 with authorization code grant flow for external api

RLOGJan 21 2021 — edited Jan 21 2021

Hi all
I have an apex application which makes use of the ebay api to fetch orders. The webservice uses authorization code grant flow to secure the service. Flow is below:
Make GET request to /oauth2/authorize with client_id, redirect_uri, scope and optional state. This presents the user with a screen which they must agree to t&cs. This cannot be done programmatically, requires user to click button. Ebay allows you to set your redirect url for success, or use their default. Returns code and expiry time, e.g. https://<success_url>?code=<code>&expires_in=<expiry>
Make POST request to /oauth2/token with grant_type, code and redirect_uri. Receive short lived access token and refresh token.
Make your GET/POST request to relevant ebay endpoint with access token
If access token has expired use refresh token to generate a new one.
If refresh token has expired go back to step 1.
I have setup ORDS endpoints to handle steps 2/4 and 3 which are working as expected. These run on a schedule and the user doesn't need to worry about them.
I want to automate step 1 so that the user is able to get a new code from within apex (currently I am manually doing this step and storing the code in the database).
Ideal flow would be:
Setup: set success redirect url in ebay to a page in the apex application.
Flow:
User clicks button in apex to authenticate with ebay which opens new tab with ebay sign in page.
User signs in / accepts the t&cs
Redirect back to page in apex application.
Process on the page to grab the code and expiry time and update the table in the database
Close the tab and kick off steps 2 & 3 in the background.
I'm not sure what the best way to handle this is. I tried creating a page and grabbing the code / expiry in a JavaScript dynamic action, but when I am redirected the page errors as the url doesn't fit in with apex's standards (it is trying to set items code & expires_in which don't exist).
My workaround idea was to create a GET request in ORDS and use that as the redirect url in ebay. The request accepts two parameters for :code and :expires_in and calls a procedure to store these in the db and returns a success message to browser. Is this acceptable? It seems a bit hacky to me, and also not particularly secure.
What is the best practice way to handle this situation?
Using APEX 20.2, Oracle XE 18c.
Thanks.
Comments
Post Details
Added on Jan 21 2021
#apex, #apex-discussions, #authentication
1 comment
1,441 views