Explore OAuth User Interactive Flows

This guide aims to explain the user about OAuth's Interactive flows and its usage in CyberArk Identity sample app.

OAuth User Interactive Flows

CyberArk Identity supports OAuth 2.0 as one of the authorization protocol to access protected resources.
Authorization requires a client to obtain an access token from an authorization server. The client then sends the access token to the resource server to access protected resources. A detailed overview of this protocol can be read here

Following section provides more details about OAuth User Interactive flows in Angular Java Sample App:

  1. Ensure that OAuth Client application is configured in your tenant. If not please configure using OAuth App setup in the tenant.
  2. Ensure that OAuth Client details are updated in Settings page.
  3. Select Scenario 1 from sample app home page and login to the system. Please refer authentication process.
  4. After successful authentication of the user, user is redirected to Login Protocols page. Select API + OAuth - User Interactive card as highlighted below.
API and OAuth Protocol method of authenticating and authorizing userAPI and OAuth Protocol method of authenticating and authorizing user

API and OAuth Protocol method of authenticating and authorizing user

CyberArk Identity supports following three grant flows for secured OAuth - User Interactive communication:

  • Authorization Code
  • Authorization PKCE
  • Implicit

Authorization Code Flow

In this flow, the client redirects the user to a page where the user enters their credentials and grants access. The OAuth server then returns an authorization code to the client. The client then sends a request to the OAuth server to obtain a access token, and includes the authorization code in this request. The OAuth server then returns the access and refresh token to the client for use in accessing subsequent endpoints. For more information see the Authorization (Auth) Code Flow.

Following steps provide more details about Authorization code flow for OAuth - User Interactive protocol in Angular Java Sample App.

  1. Select Authorization from the drop down, enter Password and click Build Authorize URL.
Authorize flow for OAuth - User Interactive protocolAuthorize flow for OAuth - User Interactive protocol

Authorize flow for OAuth - User Interactive protocol

  1. The generated authorization URL is the preview of URL which will be accessed on click of Authorize after taking access permissions of the scopes requested (setup in the settings page of the sample app).
Authorize URL PreviewAuthorize URL Preview

Authorize URL Preview

  1. Click Authorize and Accept when prompted.
  1. The authorization code is sent along with a preview of the Token Endpoint API.
  1. On click of Proceed, Token set and Claims data is fetched using the access_token.
  1. By clicking on Try Another Flow, a call to /Security/logout is triggered to end the current user session. It redirects the user to sample app Scenario 1 page.

Authorization PKCE Flow

CyberArk Identity OAuth2 custom application templates support the Proof Key for Code Exchange (PKCE) when configuring public applications, such as mobile apps or single-page apps, where the client secret is not secure. The PKCE OAuth2 flow for public applications requires that you do not use a client secret when configuring the application template. The steps for configuring the PKCE authorization code flow are similar to the regular authorization code flow except your application needs to use code_verifier, code_challenge, and code_challenge_method parameters instead of the client secret in the authorization request. For more details please refer Authorization (Auth) Code Flow with PKCE

Following steps provide more details about Authorization PKCE flow for OAuth - User Interactive protocol in Angular Java Sample App.

  1. Select PKCE from the drop down and click Build Authorize URL.
  1. The generated authorization URL is the preview of URL which will be accessed on click of Authorize after taking access permissions of the scopes requested (setup in the settings page of the sample app).
  1. Click Authorize and Accept when prompted.
  1. The authorization code is sent along with a preview of the Token Endpoint API.
  1. On click of Proceed, Token set and Claims data is fetched using the access_token.
  1. By clicking on Try Another Flow, a call to /Security/logout is triggered to end the current user session. It redirects the user to sample app Scenario 1 page.

Implicit Flow

In this flow, the client redirects the user to a page where the user enters their credentials and grants access. CyberArk Identity then redirects the user back to the client application and includes the access token in the redirection. The client can then use the access token for use in accessing subsequent endpoints. This flow is the simplest and is typically used by JavaScript applications running in a browser. Since the access token under this flow is assumed to be used temporarily, no refresh token is issued by the OAuth server.

Following steps provide more details about Implicit flow for OAuth - User Interactive protocol in Angular Java Sample App.

  1. Select Implicit from the drop down and click Build Authorize URL.
Implicit flow for OAuth - User Interactive protocolImplicit flow for OAuth - User Interactive protocol

Implicit flow for OAuth - User Interactive protocol

The generated authorization URL is the preview of URL which will be accessed on click of Authorize after taking access permissions of the scopes requested (setup in the settings page of the sample app).

  1. Click Authorize and `Accept' when prompted.
  1. On the clicking Accept we get the Authorize Response.
  1. Upon clicking Proceed, claims data can be obtained using the access_token
  1. By clicking on Try Another Flow, a call to /Security/logout is triggered to end the current user session. It redirects the user to sample app Scenario 1 page.