The Authorization Code grant is one of the OAuth 2.0 grant types supported in ReadyAPI. With this grant, the resource owner first provides access, and then an authorization code is sent to the client through browser redirect. The client then uses it to get an access token. Optionally, a refresh token is also sent.

To learn how to configure OAuth 2.0 authentication in ReadyAPI, see Enabling OAuth 2.0 Authentication or Enabling OAuth 2.0 Authentication with Azure Active Directory.

Click the image to enlarge it.

OAuth 2.0 Azure: Authorization Code Grant

Click the image to enlarge it.

Option Description

OAuth 2 Flow Sets the OAuth 2.0 method to use.

Client Identification An alphanumeric string used to identify the client.

Client Secret The secret string the client will use.

Response Mode

(For Azure only) Specifies how the authorization server sends the access token. Available options:

not defined - The authorization server will define which method to use.
form_post - The token will be sent as HTML by using the POST method.
query - The token will be added to the query as a parameter.

Resource

(For Azure only) The App ID URI of the web service.

Microsoft identity platform v2.0 does not support this parameter.

Prompt

(For Azure only) Specifies if the authentication server prompts the user to log in or consent even if they are logged in. Possible values:

not defined - The server will not prompt a user to log in.
login - The server asks to login again.
consent - The server asks user to consent.
admin-consent - The server asks prompts for the administrator consent.

Login Hint (For Azure only) The string displayed as a login hint in the sign-in form.

Domain Hint (For Azure only) Specifies the domain the user should use to sign in.

Authorization URL The authorization server URL.

Access Token URL The URL to get an access token from.

Redirect URL

An authorized redirect URL registered for the application. In OAuth 2.0 terms, the web service redirects you to this URL after successful authentication. To learn more about a redirect URL, see the OAuth 2.0 documentation.

Tip: For a testing purposes you can use http://localhost:8080. Make sure you added this address to the list of authorized redirect URL in your OAuth provider.

Apply Client JWT Assertion Select if you need to include JSON Web Token (JWT) assertion to the authorization request.

JWT Assertion Is available if you selected Apply Client JWT Assertion.
Specifies the JSON Web Token (JWT) that will be included in the authorization request as a JWT assertion. You can specify it manually or generate it.

Generate JWT Is available if you selected Apply Client JWT Assertion.
Click it to generate a JSON Web Token. The generated token will be written to the JWT Assertion field. See Generating JSON Web Token.

Scope The full scope string defining the requested permissions.

Use Nonce Select to generate a unique string for each request. It allows the server to verify that a request has never been made before and helps prevent replay attacks.

State The value included in the request that is also added to the token response. Usually it is used to provide a randomly generated string to prevent a cross-site request forgery attack.

Use Authorization Header Select to send client credentials in the request header. Otherwise, the credentials are sent in the request body.

Enable PKCE Select to use the OAuth-PKCE authorization flow.
If selected, the Code Challenge Method option will become available.

Code Challenge Method Is available if you selected Enable PKCE.
A method that was used to derive code challenge. Possible values: Not defined, plain, SHA256.

Get Access Token Click this button to retrieve the access token.

Automation Click this button to open the Automated Token Profile editor.

Authorization Code Grant

See Also