I am trying to call the Workday REST API in my .NET MVC application and am having trouble with the oAuth 2.0 aspect of it. Although in my case I am talking about Workday in particular, I think what I am not understanding can apply to any oAuth 2.0 enabled API. I am trying to use the Authorization Code Grant type.
My understanding of the flow for oAuth 2 is as follows:
1) I send a GET request to an authorize endpoint
2) The user has to log in using their credentials
3) At this point, a response is sent from the API with the Authorization Code Grant in the reponse
4) Now I can make a POST request to exchange the Authorization Code for an Access Token
5) I response is sent back with an Access Token
6) Now I can freely use that Access Token to make GET requests
Conceptually I understand this just fine, but technically, I am getting tripped up moving from step 1 to step 2:
I assume I make the GET request in step 1 from my server (since CORS policy won't allow it to come from my front-end). In that case, I have noticed that the response I get from the api is html with the login page on it. What is a typical process, then, for passing that html to the front-end, having the user login and then moving on to step 3.
Furthermore, there is a field called Redirect URL in the API client configuration, which I assume is where the API will send the response with the Authorization Code Grant, and I also assume should be an action on my controller, but how do I get and consume that response on my page?
I hope this all makes sense.
I can't seem to wrap my head around this.