This application launches a local web server and requests an access token and a refresh token. After authentication and authorization is done, the tokens are displayed in a web page together with a button, which allows to request a new access token.
Full example code is included.
Location: https://github.com/michaelJustin/daraja-framework/tree/master/demo/17_google_refresh_token
Note: the example code contains the configuration for an existing public Google Cloud App registration. You may configure it to use a different App registration, by modifying the constants in unit MainUnit.
Security considerations
- The example code uses response_mode=form_post to receive the access token. Unlike with response_mode=fragment (or query), the browser does not receive the access_token parameter in the redirect request URI. Therefore, the access_token is not accessible within the browser’s memory. (“Implicit Flow with Form Post”)
- The example code uses PKCE, which stands for “Proof of Key Code Exchange”, an extension of the OAuth 2.0 protocol that helps prevent code interception attacks.
- The example does not require a client secret.

Daraja HTTP Server Framework is an open source library for Object Pascal, based on the stand-alone HTTP server component contained in Internet Direct (Indy).
Discover more from Habarisoft Blog
Subscribe to get the latest posts sent to your email.