Hi Victoria,
I'm not sure if maybe you're looking at the callback URL the wrong way around. This is the typcial OAuth flow:
User Initiates Authentication:
- The user attempts to access a resource or service (e.g., logging into an app or accessing data) that requires authentication.
Request Authorization:
- The application (client) redirects the user to the authorization server, along with details about the requested access (such as the type of data the application wants access to). This includes the client ID, the scope of access, the redirect URI, and the response type (e.g., code for authorization code flow).
User Grants Authorization:
- The user is prompted by the authorization server (e.g., Google, Facebook) to grant or deny the requested access. If the user agrees, they approve the requested access to their data.
Authorization Server Issues Authorization Code:
- If the user grants access, the authorization server redirects the user back to the application’s specified redirect URI with an authorization code.
Application Requests Access Token:
- The application exchanges the authorization code for an access token by making a request to the authorization server's token endpoint. This request includes the authorization code, the client ID, client secret, and redirect URI.
Authorization Server Returns Access Token:
- If the request is valid, the authorization server responds with an access token (and optionally a refresh token). The access token allows the application to access the user’s data.
Accessing Protected Resource:
- The application uses the access token to make authenticated API requests to the resource server (e.g., accessing the user's data). The server validates the token and, if valid, returns the requested resource.
Refreshing Access Token (if applicable):
- If the access token expires, the application can use the refresh token (if granted) to request a new access token without requiring the user to reauthorize.
The same principes are present in something lke Power Automate or even using Python from your own laptop (if you Google using flask in Python, or search a video guide on YouTube, you'll see there are any number of ways of using OAuth, but the redirect is kind of essential as that is where the Auth comes from. The documentation for the Canvas Data 2 API is also very good at explaining this, but it is essentially about aquiring a token via an auth providor to do some work with, so there are always redirect/call backs invovled. Hopefully I've not missed the point of your post! You can also dig into Microsoft's guides on this: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow this specically mentions mobile and desktop apps.
Chris
