OAuth Quickstart

This quickstart covers the shortest path for integrating your app with OpenASA as the OAuth Provider.

Protocol note: this runtime currently implements OAuth 2.0 Authorization Code + PKCE (S256).

Prerequisites

• Your app can access https://api.openasa.com.
• Your app has client metadata registered against OpenASA, including client_id, redirect_uri, and allowed scopes.
• Your backend can safely handle authorization code exchange.

Step 1: Prepare authorization request

Collect these fields first:

• response_type=code
• client_id
• redirect_uri
• scope
• state

Step 2: Redirect browser to OpenASA authorize

Your browser app sends the user to GET /oauth/authorize.

At this point, OpenASA owns sign-in and consent UX.

Step 3: Receive callback on your redirect URI

After successful sign-in and consent, OpenASA redirects the browser back to your redirect_uri with:

• code
• state

Validate state before continuing.

Step 4: Exchange code for tokens

Your backend exchanges the code at POST /oauth/token and obtains:

• access_token
• refresh_token
• id_token (when enabled)
• expires_in

Step 5: Read OpenASA user profile

Call GET /oauth/userinfo and map the returned sub into your own local account model.

API references

• OAuth Authorize
• OAuth Token
• OAuth UserInfo
• OAuth JWKS
• OAuth Revoke

Common Setup Mistakes

• redirect_uri used at runtime does not match the registered client metadata.
• state is omitted or not verified on callback.
• Code exchange is done on the browser side instead of a trusted backend.
• Local account mapping is based on display name or email only, instead of stable sub.