https://github.com/ilert/sample-oauth2-app

This is a demo app showcasing the iLert developer platform and compliments our guides.
https://github.com/ilert/sample-oauth2-app

app authorization native oauth2 pkce spa

Last synced: 7 months ago
JSON representation

This is a demo app showcasing the iLert developer platform and compliments our guides.

• Host: GitHub
• URL: https://github.com/ilert/sample-oauth2-app
• Owner: iLert
• License: mit
• Created: 2022-01-13T16:36:36.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2022-02-02T10:48:06.000Z (over 3 years ago)
• Last Synced: 2025-03-13T02:37:15.972Z (7 months ago)
• Topics: app, authorization, native, oauth2, pkce, spa
• Language: JavaScript
• Homepage: https://docs.ilert.com/rest-api/developing-ilert-apps
• Size: 27.3 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# iLert Sample OAuth2 App

This repository showcases 3 potential ways to implement an OAuth2 authorization flow

with the iLert OAuth 2.0 Authorization Server.

Visit [the iLert docs](https://docs.ilert.com/rest-api/developing-ilert-apps) to learn more.

## Running the Sample App

- requires Node.js > v14

- `npm install`

- create an iLert application, set your redirect url to either `http://localhost:4597/authorize-result` or `http://localhost:4597/webapp`

- update `/config/default.js` with your apps credentials #L5,#L6

- update `/public/sample-app.html` with your apps client id #L59

- `npm start`

- visit your browser under `http://localhost:4597`

- choose your flow (opening the path will start it)

- an iLert user account is needed to authorize

## Authorization Flows

### 1 Authorization Code Flow

The de-facto industry standard, relying on the fact that the `client_secret` is kept secure and is not exposed publicly. See flow in sample app under `/authorize`.

### 2 Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Based on the authorization code flow an additional code verifier is created on the requesting side,

hashed and passed as challenge to the authorization server. When requesting the token for the code,

the verifier is passed again in plaintext and adds additional validition, ensuring that the token request

is coming from the same context as the initial authorization. See flow in sample app under `/authorize?pkce=1`.

### 3 Native / Web-App Authorization Code Flow with Proof Key for Code Exchange (PKCE)

The authorization code flow using PKCE, might be used in native or web apps that cannot use a `client_secret`

as they would expose it. See flow in sample app under `/webapp`.