For this grant type (read 'OAuth Grant Types' section), your application will have to redirect users to Passolution's Authorization Server's Authorization URL with following parameters:
| Parameter | Description |
|---|---|
| client_id | Your OAuth Client ID |
| redirect_uri | Redirect URL that you provided us when requesting OAuth details for your application. |
| response_type | 'response_type' parameter should be set to 'code' for Authorization Code Grant Type. |
| scope | 'scope' parameter should be set to '*' to request access to all API resources. |
| state | 'state' parameter should contain a random string that you store to user's session storage and verify later when handling authorization response received on your Redirect URL endpoint sent as redirect_uri parameter. |
state parameter code logic example:
const userState = RandomString::generate(); // eg: G8TZWEjUmuWFZgtHZ5gs
UserSession::set('user-oauth-state', userState);
Redirect::toUrl('https://web.passolution.eu/oauth/authorize?...&state=' + userState);Example:
https://web.passolution.eu/oauth/authorize?client_id=your-client-id&redirect_uri=https://your-website.example.com/handle-oauth-authorization&response_type=code&scope=%2A&state=random-state-for-userAt this stage, on our Authorization Server, the user will be asked to login (if not already logged in) and then they will be able to decide if they want to allow access to your application. Once they allow access, they will be redirected to your Redirect URL with following parameters:
| Parameter | Description |
|---|---|
| state | This is the random string that you sent when redirecting user to Authorization Server. You should have stored it in user's session storage and should now confirm that the values received matches the stored value. |
| code | This is authorization code that you can use to get access token as explained in next step. |
Example:
https://your-website.example.com/handle-oauth-authorization?state=random-state-that-was-sent-for-user&code=authorization_codestate parameter verification logic example:
// stored earlier when redirecting user for login
const userState = UserSession::get('user-oauth-state');
if(userState == Url::getParameter('state')) {
// exchange authorization code for Access Token as described below.
}
else {
throw Exception('OAuth Login: Invalid state parameter received.');
}To exchange the authorization code (code parameter received on Redirect URL) for Access Token & Refresh Token for the user, you have to make a POST request to Authorization Server's Token URL (https://web.passolution.eu/oauth/token), eg:
POST https://web.passolution.eu/oauth/token
Content-Type: application/json
{
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"grant_type": "authorization_code",
"redirect_uri": "https://your-website.example.com/handle-oauth-authorization",
"code": "authorization-code"
}Data fields used in the request body above are described below:
| Parameter | Description |
|---|---|
| client_id | Your OAuth Client ID |
| client_secret | Your OAuth Client Secret It should not be stored outside of your secure servers |
| grant_type | 'grant_type' field should be set to 'authorization_code' for the Authorization Code Grant Type |
| redirect_uri | Redirect URL of the endpoint where the authorization response was received. |
| code | The authorization code received as 'code' parameter to your Redirect URL endpoint |
The Token URL endpoint will respond with JSON response containing following fields:
{
"expires_in": 31536000,
"access_token": "eyJ...",
"refresh_token": "def..."
}| Parameter | Description |
|---|---|
| expires_in | Number of seconds after which the access token will expire. |
| access_token | Access Token for the User |
| refresh_token | Refresh Token for the User which can be used to generate new Access Token before expiry |