after reading teacher Ruan Yifeng"s tutorial, I wrote an authentication server against myself, and now the process is basically working, but there are the following questions in the step of "the client applies for a token from the server with the authorization code":
first of all, the example of the request given in the tutorial is:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
question 1:
should the header Authorization: Basic be followed by encrypted cliect_id+slient_secret?
after receiving the request, the authentication server parses the Authorization, to verify the validity of the client according to the information after the Basic.
question 2:
can the header Content-Type be set to applicaction/json? I searched the information and said that the type "application/x-www-form-urlencoded"" is generally used for form form submission. Can I change it to application/json if I don"t use the form form here?
question 3:
is it OK to return response.send () directly after the token is generated, or is it better to save it to session or somewhere else to return it to the client?
(at present, both code and token are generated by randomly generated strings and hashes in the Crypto package. I don"t know if there is any other way to optimize it, such as bringing relevant information in the generated token.)