This article describes how to investigate Oauth2 Authorization code Request.

As a reminder, the principal of Oauth2 Authorization code Request is two-steps:

  • User Authentication
  • Consent acceptance
  • Get an authorization code , in response of the POST
  • exchange this authorization code against an access token (and optionally a refresh token).

Sometimes, it might useful to digg a little bit within Oauth2 mechanism, as customer may say: « I am not able to get hold of my access token » . It can often occurs that when Oauth2 Authorization code flow is in use the openam server is behaving, but the customer client has not performed the swap to get hold the access token screwing up the entire process.

It is possible very easily using openAM to check exactly the client oauth2 flow.

The oauth2 code flow can be observed in file OAuth2Provider.access

The sequence is:

  • CREATED_AUTHORIZATION_CODE with label OAuth2Provider-7
  • CREATED_REFRESH_TOKEN with label OAuth2Provider-5
  • CREATED_TOKEN with label OAuth2Provider-1
  • UPDATED_AUTHORIZATION_CODE with label OAuth2Provider-17







Olivier Rivat

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat

Les derniers articles par Olivier Rivat (tout voir)