This application launches a local web server and requests an access token and a refresh token. After authentication and authorization is done, the tokens are displayed in a web page together with a button, which allows to request a new access token.

Full example code is included.

Location: https://github.com/michaelJustin/daraja-framework/tree/master/demo/17_google_refresh_token

Note: the example code contains the configuration for an existing public Google Cloud App registration. You may configure it to use a different App registration, by modifying the constants in unit MainUnit.

Security considerations

  • The example code uses response_mode=form_post to receive the access token. Unlike with response_mode=fragment (or query), the browser does not receive the access_token parameter in the redirect request URI. Therefore, the access_token is not accessible within the browser’s memory. (“Implicit Flow with Form Post”)
  • The example code uses PKCE, which stands for “Proof of Key Code Exchange”, an extension of the OAuth 2.0 protocol that helps prevent code interception attacks.
  • The example does not require a client secret.
dj

Daraja HTTP Server Framework is an open source library for Object Pascal, based on the stand-alone HTTP server component contained in Internet Direct (Indy).

Discover more from Habarisoft Blog

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *