I am building VCL Win32 app in Delphi 10.1 to access some
services from an online web service. Digikey.com is the provider.
I have my client ID and secret and my app is registered with
them. So far so good but I can't quite yet spell OAuth2.0.
I've just implemented OAuth2 for the ICS internet components.
The conceptual issue about OAuth2 is that applications should not know any
login details. They need to be entered through a browser, which then redirects
to a fixed URL with includes an Authorization Code that is subsequently
exchanged for an Access Token that can used by the REST client. This is really
all designed for interactive applications, on mobile platforms in particular.
Originally it was considered allowable for native applications to display an
embedded browser window in the application to capture the Authorization Code
during redirect, but that potentially means the application can also capture
the login as well so is no longer best practice, see RFC8252. Some apps will
block the embedded window.
But the Delphi REST OAuth components still use an embedded browser, which does
not always work any longer.
The preferred authorization method now is for the native application to launch
the standard browser and redirect to localhost where a small web server runs to
capture the Authorization Code. That is what the ICS components do.
Once you have the Authorization Code, getting an Access Token is trivial REST.
But the Access Token will usually expire within 24 hours, sometimes much sooner.
So the token exchange process also offers a Refresh Token with the same expiry,
but which can be used to get another Access Token without needing user
interaction.
So the trick for native applications is to keep refreshing the Access Token
before it expires, allowing your application to keep running. Store the
Refresh Token securely, since it's a potential security risk.
Angus
Connect with Us