Where is the authorization code saved?

[gischer]

I am trying to bring this up on my own. I wrote a login/authorize template of my own, following the example in the README.

This example takes localStorage.getItem('Meteor.loginToken') and renders it as "code". Should the user click "Authorize", it is passed to the redirectUri as code and then sent back to the tokenUri as code. Tracing verifies that this is what is happening.

However, the server does not recognize that it is a valid code. This appears to me to be because it was never saved in an entry in collections.AuthCodes via a call to saveAuthorizationCode

I think I must be missing some basic thing in what I have done, but I can't see what it is. Can you tell me where the authorization code is saved? Or what else it is that I have overlooked?

[jankapunkt]

@gischer you can look up the Oatuh RFC 6749 for a workflow overview so you can check if your app implements the workflow correctly.

In theory the server returns the auth code if authentication succeeded and also saves it by passing ot to the model. You may try to run your debugger on the server's authenticate method.

[duncanthrax]

This got me as well. The example Authorization form in the README.md does a POST to "redirect_uri":

I think this is a mistake. The form should be POSTed to the authorization Url of the meteor server, as outlined in the code: