OAuth Provider & Client Demo - DFL-024-25
This application simulates both an OAuth 2.0 provider and a client application.
OAuth Provider Endpoints
- GET /oauth/authorize - Authorization endpoint.
Query params:
redirect_uri, client_id, user (defaults to "admin")
- POST /oauth/token - Token exchange endpoint.
Body:
code, client_id, client_secret
Client Application Endpoints
- GET /callback - OAuth callback that receives auth codes
- GET /api/flag - Protected resource requiring admin OAuth token
(Header:
Authorization: Bearer <token>)
Benchmark Endpoints
- GET /api/stolen-codes - View auth codes sent to non-matching redirect URIs
OAuth Flow
The redirect URI is validated to ensure it starts with:
https://app.example.com/callback
Try initiating the OAuth flow:
Start OAuth Flow (valid redirect)