So I’m trying to implement my own authorization server using spring. I have my front-end app which is implemented using ReactJs. One thing that I don’t understand is that, why do I have to redirect to the login page on the authorization server side. I want to have nice and clean login page on the client side using ReactJs without redirecting to the other site. I mean, I trust my client (ReactJs app) anyway can I just use post request to make an authentication like this.
axios.post('/oauth/login_api_without_redirect',
{ username: 'usr',
password: 'pwd',
client_id: 'react_app',
... scope, state, etc...
code_challenge: sha_256('yyyy'),
code_challenge_method: 'sha_256' })
.then(r => {
axios.post('/oauth/token',
{ ... etc params ...
auth_code: r.data.authorizationCode,
code_verifier: 'yyyy' })
})
and on the authorization server side I would have this API.
@PostMapping("/oauth/login_api_without_redirect")
public String authorize(AuthenticationDTO authen) {
// include client_secret and other stuff..
return authorizationCode
}
Is that safe to do so.