OAuth Authz Code HTTP Authentication with Escape¶
Description¶
The 'OAuth Authorization Code HTTP' preset implements the OAuth 2.0 Authorization Code grant type (RFC 6749, Section 4.1) using only HTTP requests, without requiring a browser:
- HTTP-Only Flow: Uses direct HTTP requests to the authorization server for credential submission and code extraction.
- PKCE Support: Implements Proof Key for Code Exchange (RFC 7636) by default for enhanced security.
- Flexible Configuration: All OAuth parameters are configurable to work with different providers.
- Client Authentication: Supports multiple client authentication methods (Basic Auth, form data, or none for public clients).
- Token Management: Automatically handles access tokens and refresh tokens, injecting Bearer tokens into authenticated requests.
Performance: This authentication method is significantly faster than browser-based flows as it uses only HTTP requests without browser automation overhead.
Security: This flow maintains OAuth 2.0 security standards with PKCE protection against authorization code interception attacks, while supporting various client authentication methods.
Use Cases:
- API Testing: Ideal for automated testing scenarios where browser interaction is not desired
- Headless Environments: Perfect for server-side applications and CI/CD pipelines
- High-Throughput: Suitable for scenarios requiring many concurrent authentications
- Provider Compatibility: Works with OAuth providers that accept programmatic credential submission
Limitations:
- Cannot handle CAPTCHAs or other interactive challenges
- Does not work with providers that strictly require browser-based user interaction
- May not work with complex multi-step authentication flows that require JavaScript execution
Provider Examples: Works well with enterprise OAuth servers, API-first providers, and development/testing environments that support direct credential submission.
Examples¶
presets:
- response_type: code
type: oauth_authz_code_http
username_field: username
authorization_url: https://auth.example.com/oauth/authorize
token_url: https://auth.example.com/oauth/token
client_auth_method: client_secret_post
client_id: your_client_id
client_secret: your_client_secret
follow_redirects: true
max_redirects: 10
password_field: password
redirect_uri: https://your-app.com/callback
request_timeout: 30
use_pkce: true
scopes:
- read
- write
users:
- username: user1@example.com
password: password123
- username: admin@example.com
password: admin_pass
scopes:
- admin
- read
- write
presets:
- response_type: code
type: oauth_authz_code_http
username_field: username
authorization_url: https://public-auth.example.com/oauth/authorize
token_url: https://public-auth.example.com/oauth/token
client_auth_method: none
client_id: public_client_id
follow_redirects: true
max_redirects: 10
password_field: password
redirect_uri: https://mobile-app.com/callback
request_timeout: 30
use_pkce: true
scopes:
- openid
- profile
- email
users:
- username: mobile_user@example.com
password: mobile_pass
presets:
- response_type: code
type: oauth_authz_code_http
username_field: email
authorization_url: https://enterprise-auth.company.com/oauth/authorize
token_url: https://enterprise-auth.company.com/oauth/token
client_auth_method: client_secret_basic
client_id: enterprise_client
client_secret: enterprise_secret
follow_redirects: true
login_endpoint: https://enterprise-auth.company.com/login
max_redirects: 10
password_field: pwd
redirect_uri: https://enterprise-app.company.com/callback
request_timeout: 45
use_pkce: true
additional_auth_params:
tenant: company
additional_login_params:
domain: company.com
login_headers:
X-API-Version: v2
X-Tenant: company
scopes:
- corporate
- read
- write
token_headers:
X-Client-Version: '1.0'
users:
- username: employee@company.com
password: employee_pass
scopes:
- employee
- username: manager@company.com
password: manager_pass
scopes:
- manager
- read
- write
Extensive Configuration¶
| Property | Type | Default | Description |
|---|---|---|---|
additional_auth_params | Dict[string, string] | null | Additional query parameters to include in the authorization request |
additional_login_params | Dict[string, string] | null | Additional form parameters to include in the login request |
additional_token_params | Dict[string, string] | null | Additional form parameters to include in the token exchange request |
authorization_headers | Dict[string, string] | null | Additional HTTP headers to include in the authorization request |
authorization_url * | string | The OAuth 2.0 authorization endpoint URL where the authorization request will be sent | |
client_auth_method | string | client_secret_post | Method for client authentication: "client_secret_basic" (HTTP Basic), "client_secret_post" (form data), "none" (public client) |
client_id * | string | The OAuth 2.0 client identifier | |
client_secret | string | null | The OAuth 2.0 client secret. Optional for public clients using PKCE. |
csrf_token_header | string | null | HTTP header name where CSRF token should be sent |
csrf_token_name | string | null | Name of CSRF token field to extract from login form |
display | string | null | OAuth 2.0 display parameter for UI preferences (page, popup, touch, wap) |
follow_redirects | boolean | true | Whether to follow HTTP redirects automatically |
login_endpoint | string | null | Specific endpoint for submitting login credentials. If not provided, will use authorization_url. |
login_headers | Dict[string, string] | null | Additional HTTP headers to include in the login request |
max_age | integer | null | OpenID Connect max_age parameter for authentication age in seconds |
max_redirects | integer | 10 | Maximum number of redirects to follow |
nonce | string | null | OpenID Connect nonce parameter for ID token validation |
password_field | string | password | The form field name for the password in the login request |
prompt | string | null | OpenID Connect prompt parameter (none, login, consent, select_account) |
redirect_uri * | string | The redirect URI registered with the OAuth provider. Must match exactly. | |
request_timeout | integer | 30 | Timeout in seconds for HTTP requests |
response_mode | string | null | How the authorization server should return the response. Options: "query", "form_post", "fragment" |
response_type | string | code | OAuth 2.0 response type. Should be "code" for Authorization Code flow. |
scopes | List[string] | null | Default scopes to request for all users. Can be overridden per user. |
state | string | null | OAuth 2.0 state parameter for CSRF protection. If not provided, a random state will be generated. |
token_headers | Dict[string, string] | null | Additional HTTP headers to include in the token exchange request |
token_url * | string | The OAuth 2.0 token endpoint URL for exchanging authorization codes for access tokens | |
type * | Const[oauth_authz_code_http] | oauth_authz_code_http | |
use_pkce | boolean | true | Whether to use PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for all clients. |
username_field | string | username | The form field name for the username in the login request |
users * | List[OAuthAuthorizationCodeHTTPUserPreset] | A list of users to authenticate using the OAuth Authorization Code HTTP flow |
Objects¶
OAuthAuthorizationCodeHTTPUserPreset¶
| Property | Type | Default | Description |
|---|---|---|---|
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authentified requests. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authentified requests. |
password * | string | The password of the user for the OAuth provider. | |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authentified requests. |
scopes | List[string] | null | A list of scopes to request for this specific user. If not specified, uses the preset default scopes. |
username * | string | The username of the user. |