Skip to content

Authorization Code

Jump to bottom Edit New page
Matt Bierner edited this page Jul 4, 2015 · 13 revisions

Blot're supports the OAuth 2 authorization code flow. This is the preferred method of authorization.

Authorization

The user must first: https://blot.re/v0/oauth2/authorize.

Required Parameters

  • response_type - Must be set to code.
  • client_id
  • redirect_uri - Where the send the response. This must exactly match one of the redirect uris registered to the client.

Example

From our example client, we construct the following url:

GET https://blot.re/v0/oauth2/authorize?response_type=code&client_id=553defdbe4b0b25be7761613&redirect_uri=http://localhost:9000

When a user visits this link, they will be prompted to login and authorize your application.

Authorization page

If the user accepts, Blot're redirects them to the provided redirect url and also sends along an authorization code:

http://localhost:9000?code=OGU0YzE3ZWItZWU2Zi00N2I0LWI0NzQtNWIyZTQxNTM0ZmMx

If the user denies access, no authorization code is generated and the user is redirect with an error message instead

http://localhost:9000?error=access_denied&error_description=User+rejected+access+for+your+application

Access Token

The authorization code confirms that the user granted your client authorization to act on their behalf, but we still have to obtain credentials in order to make these requests. We now replay the authorization code against Blot're in order to receive an access token.

This POST request must be made from your server against https://blot.re/v0/oauth2/access_token.

Required Parameters

  • grant_type - Set to "authorization_code"
  • client_id - Must match what was used before.
  • redirect_ui - Must match what was used before.
  • code - The authorization code received.
  • client_secret

Using our example client, this request looks like:

POST https://blot.re/v0/oauth2/access_token
content-type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=553defdbe4b0b25be7761613&redirect_uri=http://localhost:9000&client_secret=NWI4ZTZjZDAtZTJjMi00NzJmLTg4OTQtN2UwMWQ3ZDU5MGYw&code=OGU0YzE3ZWItZWU2Zi00N2I0LWI0NzQtNWIyZTQxNTM0ZmMx

If this is successful, the server responds with JSON containing the new access token:

{
  "access_token": "YmI2NTgyYjMtMzIyYi00NzM2LWI3M2UtOTIzNDhmOWUzNjc0",
  "token_type": "bearer",
  "expires_in": 259200,
  "user": {
    "id": "5550f2a63004a531be8820c5"
  }
}

This exchange may only be made once. After you exchange the authorization code for an access token, the code is invalidated.

Now we can use our access token to make authorized requests

Add a custom footer
Add a custom sidebar
Clone this wiki locally