5.3 Handle Authentication Response Callback

[EdwardHinkle]

The authorization server will send the response to the callback url which will redirect to the app’s url scheme which will end up in the app’s delegate.

There needs to be a function in the framework that you can call and pass the url that was called and it will finish processing the response.

https://indieauth.spec.indieweb.org/#authentication-response

The redirect is built by starting with the redirect_uri in the request, and adding the following parameters to the query component of the redirect URL:

code - The authorization code generated by the authorization endpoint. The code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum lifetime of 10 minutes is recommended. See OAuth 2.0 Section 4.1.2 for additional requirements on the authorization code.
state - The state parameter MUST be set to the exact value that the client set in the request.

Upon the redirect back to the client, the client MUST verify that the state parameter in the request is valid and matches the state parameter that it initially created, in order to prevent CSRF attacks. The state value can also store session information to enable development of clients that cannot store data themselves.

See OAuth 2.0 [RFC6749] Section 4.1.2.1 for how to indicate errors and other failures to the user and client.

[EdwardHinkle]

I just remembered, I think using ASWeb something or another (the OAuth controller) actually removes the need for a callback and it just returns the value. So the framework might not even have to deal with the app delegate