Archived Forum Post

Index of archived forum posts


OAuth 2.0 supports https redirect?

Oct 10 '17 at 08:24

OAuth 2.0 supports https redirect?


The Chilkat OAuth2 class is to help desktop and non-web applications with 3-legged OAuth2.

If you have a web application, then you would implement the 3-legged OAuth2 directly. In 3-legged OAuth2, you have (1) an Authorization Endpoint, and (2) a Token Endpoint.

For example, in Shopify:

In a web application, you would use Chilkat Http or any other convenient HTTP API to send the initial request to the Authorization Endpoint. Your redirect_uri would be a URI directed back to your web application, which receives the redirect request and then sends the final HTTP request to the token endpoint.

HTTPS (i.e. a secure TLS connection) SHOULD be used in the case of a web application, because the redirect is traveling from the local browser, across the Internet, to your web application.

In the case of a desktop application (non-web application), you don't have the capability to receive a redirect on a web server. The Chilkat OAUth2 class is creating a background thread for the single purpose of receiving the redirect. Thus the local web browser that interactively gets permission from the account owner is always communicating with your application on the same local machine. There is no communication across the Internet for the redirect, and therefore no HTTPS is needed. In fact, you cannot really use HTTPS because what server certificate would you use? You'd run into all sorts of trust issues with the browser not being happy with some self-signed "localhost" certificate. There's just no point in opening that can of worms because it's not even necessary..