2.2. OAuth token request flows and responses

The OAuth server supports standard authorization code grant and the implicit grant OAuth authorization flows.

When requesting an OAuth token using the implicit grant flow (response_type=token) with a client_id configured to request WWW-Authenticate challenges (like openshift-challenging-client), these are the possible server responses from /oauth/authorize, and how they should be handled:

StatusContentClient response

302

Location header containing an access_token parameter in the URL fragment (RFC 6749 section 4.2.2)

Use the access_token value as the OAuth token.

302

Location header containing an error query parameter (RFC 6749 section 4.1.2.1)

Fail, optionally surfacing the error (and optional error_description) query values to the user.

302

Other Location header

Follow the redirect, and process the result using these rules.

401

WWW-Authenticate header present

Respond to challenge if type is recognized (e.g. Basic, Negotiate, etc), resubmit request, and process the result using these rules.

401

WWW-Authenticate header missing

No challenge authentication is possible. Fail and show response body (which might contain links or details on alternate methods to obtain an OAuth token).

Other

Other

Fail, optionally surfacing response body to the user.