You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Ryan Fulghum <ry...@gmail.com> on 2015/09/15 15:28:34 UTC

OAuth token request with httpclient

We are implementing Oauth Authorization code grant flow in our Android app.
Note that while registering our application with remote service we got
client ID, secret key and redirect URIs.

Implementation :

We open login page for the service in a browser and let the user supply
their credentials. Browser redirects to our app with Authorization code.

Next we obtain an Oauth token by exchanging the Authorization code with the
remote services Authorization server.

We create a https POST request by URL encoding client ID, secret, redirect
URI and authorization code and send it to the server. Server responds with
HTTP 401 asking client to authenticate with one of { NTLM, Kerberos, Basic}
schemes and specific scope/realm.

If the same POST request is constructed/executed using httpURLConnection
class, server does not ask for Authentication and returns a valid response.

I am going to wireshark the httpURLConnection request and see if it retries
the request silently and if so with what credentials.

Has anyone experienced this before?

Thank you.