Getting started with oAuth2

Kelly Burgess kellyb at
Tue Oct 18 04:45:48 UTC 2022

>Are the Client ID and Client Secret something that I need to get one time from Microsoft for my application

Yes, for OAuth 2 to work, you need to register your application so that the token server will know who it's working with.  The result of a successful registration will be your Client ID (aka application id) and your Client Secret (app secret).  You keep these for the life of the app, and you'll send them along as part of each of your auth token requests.

> Authorize URL and Access Token URL.

These two URLs will be unique to each service that requires OAuth2 (Microsoft, Google, Dropbox, etc. each have their own server URLs).  In general, you request authorization (using your client ID/secret) from the Authorize URL, and it will return an auth token, which you then send to the Access Token URL.  The access token server will normally return three items - an access token, a refresh token, and an expiration timestamp for the access token.  Until that time elapses, you use the access token to request service APIs.  After that time elapses, you use the refresh token to obtain a fresh access token along with a new refresh token and expiration timestamp.

Obtaining the original access token usually presents a web page for the user to log in and approve the use of resources.  Using the refresh token to get a new access token sidesteps the need to log in and approve access again.


More information about the omnisdev-en mailing list