Can I use OAuth 2.0 without a redirect server?
P粉710478990
2023-08-22 22:18:09
<p>I'm trying to create a native Java-based client that interacts with the SurveyMonkey API. </p>
<p>SurveyMonkey requires generating a long-lived access token using OAuth 2.0, which I'm not very familiar with. </p>
<p>I've been googling for hours and I think the answer is no, but I just wanted to make sure: </p>
<p>Can I write a simple Java client to interact with SurveyMonkey,<strong>without having to set up my own redirect server</strong> in some cloud? </p>
<p>I think it is necessary to have my own online service to be able to receive tokens generated by OAuth 2.0. Can't I just have SurveyMonkey send the token directly to my client? </p>
<p>If I set up my own custom Servlet somewhere and use it as redirect_uri, the correct flow should be as follows: </p>
<ol>
<li>The Java client requests a token from SurveyMonkey, where redirect_uri is the URL of my custom Servlet. </li>
<li>SurveyMonkey sends the token to the URL of my custom Servlet. </li>
<li>The Java client polls the custom Servlet's URL until it gets a token. </li>
</ol>
<p>Is this correct? </p>
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Yes, it is possible to use OAuth2 without a callback URL. RFC6749 introduces several processes. The implicit flow (now deprecated[1]) and the authorization code flow (Authorization Code) require a redirect URI. However, the resource owner password credential process (also deprecated[1]) is not required.
Since the publication of RFC6749, other specifications have been published which do not require any redirect URIs:
Additionally, when using OpenID Connect, the response pattern is not necessarily a redirect to the
redirect_uriparameter, but can instead be a POST request to that endpoint. For more information, see the OAuth 2.0 Form POST Response Pattern specification.Regardless, if the above authorization type does not suit your needs, you can create a custom authorization type.
[1]: OAuth 2.1 Specification (Draft 07)
is not entirely accurate, the whole point of the OAuth process is that the user (the client on whose behalf you are accessing the data) needs to give you permission to access their data.
See Authentication Instructions. You need to send the user to the OAuth authorization page:
This will show the user a page telling them which parts of their account you are requesting access to (e.g. view their surveys, view their responses, etc.). Once the user approves by clicking "Authorize" on that page, SurveyMonkey will automatically jump to the page you set as the redirect URI (make sure the redirect URI in the above URL matches the one set in your application settings) and back Authorization code.
So if your redirect URL is
https://example.com/surveymonkey/oauth, SurveyMonkey will redirect the user to that URL using the authorization code:https://example.com/surveymonkey/oauth?code=You will then need to use that authorization code to exchange the access token by sending a POST request to
https://api.surveymonkey.net/oauth/token?api_key=and provide The following POST parameters:This will return an access token which you can then use to access data on the user account. You do not need to give the access token to the user, it is for you to use to access the user account. No polling or other operations required.
If you are only accessing your own account, you can use the access token provided on the application settings page. Otherwise, there is no way to get access tokens for users unless you set up your own redirect server (unless all users belong to the same group, i.e. multiple users under the same account; but I won't go into that). SurveyMonkey needs a place to send authorization codes to you, you can't just request one.