The authorization code grant should be very familiar if you have ever signed into a web application using Facebook or Google account. This may be the most popular OAuth2.0 grant developers use frequently to build app for third-party users. Our OAuth2.0 server also provides the standard features for this authorization_code grants by following OAuth 2.0 Authorization Framework RFC
If you want to build any service for the users of Preview Technologies Limited's users or don't want to build your own authentication platform, then this grant will help you to solve the problem to integrate our authentication platform with your system.
To implement "authorization_grant" OAuth2.0 grant with your service, this flow involves with two distinct steps. first, you need to get the authorization from our user and retrieve auth code, and with that auth code, request the access token and refresh token and necessary information to access our APIs.
You need to redirect the user to the authorization server with the following parameters in the query string:
- response_type with the value "code"
- client_id with the client identifier (you can get your client id from our developer portal)
- redirect_uri with the redirect URI of your service where user will be redirected after authorization. You have to add this redirect URL in your developer profile.
- scope a space delimited list of scopes. See list of our available scopes.
- state with a CSRF token. This is an optional parameter but highly recommended. You should store this CSRF value in the user's session to validate when the user will return. This will ensure that the request was legitimate
When you will build your URL, redirect the user to our OAuth2.0 authorization server. If the user authorize they will be redirected back to the redirect URL you specified with authorization code. This authorization code will be necessary in the second flow to retrieve the access token and other important information.
After getting the authorization code, you need to send a POST request to our authorization server access token endpoint with the following parameters:
- grant_type with the value of "authorization_code"
- client_id with the client identifier you used in the first step
- client_secret with the client secret you used in previous step
- redirect_uri with the same redirect URI the user was redirect back to
- code with the authorization code from the query string you received after user's authorization in previous flow
Access Token Endpoint: https://myaccount.previewtechs.com/oauth/v1/access_token
Note that you need to decode the code query string first. Now if everything goes well, our authorization server will respond with a JSON object containing the following properties:
- token_type with the value Bearer
- expires_in with an integer representation of TTL of access token
- access_token - will be used to access API
- refresh_token an encrypted payload that can be used to refresh the access token when it expires.
You need to store these expires_in, access_token and refresh_token for future usage. With refresh token you can re-issue access token. If you lose refresh token then you need to re-authorize the user from our authorization server.