Hi,

I've been reviewing the auth-advanced proxy. The example works but I have a couple questions and comments:

1) Is this example following the oAuth 2.0 spec for the auth-code flow? The reason I ask is because it seems the login page is requesting the auth-code on behalf of the client app. How does the login page know which client-id to send? In the scenario where we are supporting many third party apps, where does the login page obtain the client id and how would it know the app redirect URL? I take it the client-id would be sent from the clientapp to the login page as a client-id parameter?

2) Reading the oAuth 2 spec, the client app should send a request of response_type=code to /authorize and then the auth server should redirect to a login page for the user to login and authorize. Then, after success, the login page redirects results back to auth server where the auth server would generate and return the code to the client? Perhaps I misunderstand the spec? If my understanding is correct, as google has for it's API here, then the Apigee example is incorrect: https://developers.google.com/identity/protocols/OAuth2WebServer#preparing-to-start-the-oauth-20-flo...

Not trying to be confrontational but just want to ensure I understand correctly and for the benefit of the community. To me, the Apigee oAuth 2.0 example works fine for in-house applications but in setting up a developer program where we want to support multiple developer apps (each having a different client id), it doesn't seem to work. Again, perhaps it is my misunderstanding? At a minimum, the client apps would need to send their client id to the login app. Or we could probably create a /login api that would require the client id and redirect the user to the login page while forwarding the client id and redirect url. In the latter instance, the login app would again call the /auth on behalf of the client -- which seems incorrect (again, could be my misunderstanding of the Apigee implementation).

Regards,

Robert