Authorization Code Flow
The Authorization Code Flow involves an application directing the user to an authentication page where they can log in and authorize the application. After successful authorization, the application receives an authorization code, which it then exchanges for an access token. This method is particularly well-suited for client-facing applications that require user interaction, such as web and mobile apps. Originally designed for situations where an application acts on behalf of a user, the Authorization Code Flow ensures that the user's credentials are not exposed to the application and provides an additional layer of security through the authorization code step.
Prerequisite
To initiate the authorization code flow, it is essential to ensure that a redirect URL is configured in your application. This redirect URL is used to redirect the user back to your application after the authorization process.
Flow
Step 1: Request for Authorization Code
GET /v1/oauth/authorize
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | String | O | The client ID of the application. |
response_type | String | O | code |
redirect_uri | String | O | The redirect URI of the application. If you registered multiple redirect_uris, you must select one. |
Step 2: Capture Authorization Code
Once the user logs in successfully, DottedSign redirects the user to redirect_uri, which is provided as a parameter during the authorization request. It is crucial that the redirect_uri used in both steps matches to ensure a secure authorization process. The URL to which the user is redirected will include the temporary authorization code.
Step 3: Exchange Authorization Code for Access Token
POST /v1/oauth/token
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | String | O | Cliet ID for the application. |
client_secret | String | O | Client secret for the application. |
grant_type | String | O | authorization_code |
code | String | O | The authorization code returned by the server. |
redirect_uri | String | O | The redirect URI of the application. This should match the redirect_uri used in the authorize request. |
Refresh Token
The access token obtained has a distinct lifetime, configured in the application for security considerations. Once it expires, all subsequent API requests will receive a 401 "Unauthorized" response. Therefore, it is necessary to refresh the token regularly to maintain uninterrupted API access.
POST /v1/oauth/token
| Parameter | Type | Required | Description |
|---|---|---|---|
client_id | String | O | Client ID for the application. |
client_secret | String | O | Client secret for the application. |
grant_type | String | O | refresh_token |
refresh_token | String | O | The refresh token obtained through previous steps. |
Updated 6 months ago