oauth2 server user registration

Question

I am by no means an oauth2 expert and am open to suggestions.Ok, I have setup an Oauth2 server and I am having a problem deciding on the flow when registering a new user from an application.

The user registration form sits on the client and not on the oauth2 server.

1.user goes to example.com/register

2.user fills in the form and clicks send

3.I send a request to my oauth 2 server with the client_credentials grant and scope to receive an token on behalf of the client/app.

4. I send a request to POST /users/register with the form values using the token from the previous request.

5. If registration has failed I list the validation rules in a json array.

6.If registration was successful i use the scope originally used to generate the new access token for the user.This is then returned.The user is also flagged as inactive in the db.

7.I have to activate the user somehow and send a request to GET /users/activate using my user token ftom the previous requst.

My question is,does this flow sound right and what should i send as the link in for the activation email?

Your response would be appreciated.

Answer 1

After point 6. When new user is created, back-end should create some unique string or code or (token or hash) which is used to activate the user. Then in email could be like link with /users/activate/(token or hash) after the URL (as pathparameter). Now when the user clicks it, it makes GET request to your endpoint with the unique hash or token and now the back-end can identify the hash or token and activate the user whom the unique hash or token belongs to. So the token or hash is one-to-one relation with user and can be used only once, when it is used it is deleted from DB.