Skip to main content

Using common OAuth2 and OpenID Connect flows

Authorize Code Flow with Refresh Token

The following command creates an OAuth 2.0 Client capable of executing the Authorize Code Flow, requesting ID and Refresh Tokens and performing the OAuth 2.0 Refresh Grant:

hydra create client \
--endpoint http://ory-hydra:4445 \
--grant-type authorization_code,refresh_token \
--response-type code \
--scope offline_access \
--redirect-uri http://my-app.com/callback,http://my-other-app.com/callback

The OAuth 2.0 Client will be allowed to use values http://my-app.com/callback and http://my-other-app.com/callback as redirect_url.

It's expected that the OAuth 2.0 Client sends its credentials using HTTP Basic Authorization.

If you wish to send credentials in the POST Body, add the following flag to the command above:

    --token-endpoint-auth-method client_secret_post \

The same can be achieved by setting "token_endpoint_auth_method": "client_secret_post" in the request body of POST /clients and PUT /clients/<id>.

To initiate the flow, redirect the user's browser to the OAuth2 Auth Code URL:

<a href="https://ory-hydra:4444/oauth2/auth/?client_id=client-id&scope=offline_access&redirect_uri=http://my-app.com/callback">
Connect with ...
</a>

Client credentials flow

To create a client only capable of performing the OAuth 2.0 Client Credentials flow, use:

hydra create client \
--endpoint http://ory-hydra:4445 \
-g client_credentials