I need to create a my own OAUTH Provider, to validate third party application requests, i do not want to use Google, Twitter, LinkedIn, Microsoft providers. I have to create my
As Roland said if you get through the spec it pretty straight forward.
At a high level this is what you will need to do to support AuthCode grant pattern :
Assuming: Your application own the users.
When the client hits the authorize end point like below:
/authorize?response_type=code&client_id=<clientID>&state=xyz&redirect_uri=http://thirdparty.com
Sample callback here
https://thirdparty.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
Client will then call on the /token URI with authcode with something like below:
/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://thirdparty.com
Generate a token, store it against the clientID, UserId and respond back with the token. Something like below
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
When the 3rd party access your services/resources validate the token against the client and userid and grant or deny access.
This is to get started but there can be a lot more customization that you can do with scope and other OAuth2 patterns.