Authenticity of the client that is making a request is ensured with the client id and the predetermined URLs that are registered in our system. Those return URLs are attached to your specific client id and this is where the results of the requests are delivered. Only owner of the systems on these URLs can receive the tokens. This flow uses only the authorization endpoint:
When the user tries to access client application, client application makes a GET request to an authorize endpoint.
As a result, user receives the login screen on our identity provider where he needs to enter his credentials.
After successful verification of the credentials, user is redirected to the predefined client redirect URL and at this point client application captures access token from the URL parameter.
Requesting URL from step 1 looks like this:
http://indentity-server-url/connect/authorize?response_type=code&scope=user_api.full_access&client_id= 73e9cf0d-561a-11e9-9b32-000d3a46a880&redirect_uri= http%3A%2F%2Flocalhost%3A3000%2Fcallback
* this is an example call without a real client id