Help user access

oAuth - user access

Authorization code

1. Getting the authorization code

In order to obtain the code, which can then be exchanged for the correct tokens for authorization, the user must be redirected to: 

https://[authorization_server_url]/oauth/authorize?redirect_uri=[redirect_uri]&client_id=[client_id]&response_type=code


[authorization_server_url] – authorization server address, e.g. auth.gearcode.eu
[client_id] – identifier of the application (1), to which the user logs in. The application must be previously created in GC.AUTH.
[redirect_uri] – the URL to which the authorization code will be forwarded. The indicated address must be previously added to the list of allowed addresses (2).

After the user successfully logs into GC.AUTH, he will be redirected to the [redirect_uri], address, to which the authorization code will be attached.
For the application described above, the request and response will look as follows: 

https://[authorization_server_url] /oauth/authorize?redirect_uri=https%3A%2F%2Fmy.sample.webapp.com%2Fauth-callback&client_id=sample.webapp.fe9d3e203b164c7e8896369673003291&response_type=code
https://my.sample.webapp.com/auth-callback?code=XC3pJl56JP_N8VET3x...pY7h7XCjw.
2. Replacing authorization code with tokens
To replace authorization code with tokens, call the HTTP request through a secure channel*: 


POST /oauth/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

code=[code]&grant_type=authorization_code&client_id=[client_id] &client_secret=[client_secret]&resource_id=[client_id]


[client_secret] – secret key of the application; must be stored securely. The key can be obtained in GC.AUTH(1).


If the submitted data is correct then token information is returned in the response: 
{
    "access_token": "eyJhbGciOi…cP6zb4",
    "token_type": "bearer",
    "expires_in": 899,
    "refresh_token": "ILLu1L5ks…8DZQ"
}

* - by secure channel is meant server-to-server communication, with complete omission of user agent in this communication.

Refresh token


The acquired access_token should be periodically refreshed using refresh_token. To do this, call the HTTP request: 

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=[refresh_token] &client_id=[client_id]&resource_id=[client_id]&client_secret=[client_secret]


If the submitted data is correct then token information is returned in the response: 

{
    "access_token": "eyJhbGciOi…ZWU1Y2U0",
    "token_type": "bearer",
    "expires_in": 899,
    "refresh_token": "mKhyYrlh…xWIyp"
}