Skip to main content

Authorization Code Flow

This flow is used when the client does not want to create their own login page, but still wants refresh token ability. It is recommended to use this flow as the user only has to login once and the refresh token can be used to retrieve access tokens going forward.

  1. The flow starts by redirecting the user to the authorize endpoint user a URL.
    • The URL contains the client ID, requested scopes, and redirection URI to which the authorization web service sends the user after access is granted or denied.
    • This appears in the following format:
    https://auth.agsync.com/core/connect/authorize?response_type=code&state=STATE&client_id=CLIENTID&scope=openid%20profile%20email%20agsync%20roles%20offline_access&redirect_uri=[REDIRECT_URI]
  2. The user is prompted for his or her sign-in credentials and grants or denies the client's access request.
  3. If the user has granted access, the token server redirects the user to the client by using the redirection URI that was provided in the initial request.
    • The redirection is done via a form POST to the redirection URI. The access token, identity token, scope and expiration are included in the form post.
    • For example:
    <form
    	method="post"
    	action="REDIRECT_URI"
    >
    	<input
    		type="”hidden”"
    		name="”code”"
    		value="”CODE”"
    	/>
    	<input
    		type="hidden"
    		name="state"
    		value="STATE"
    	/>
    </form>
    • Using the code value in the response, the client will then need to make another call to the token endpoint for a access token or a refresh token:
    POST /core/connect/token HTTP/1.1
    Host: auth.agsync.com
    Authorization: Basic [Client ID and secret base64 encoded]
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=[CODE]&redirect_uri=[REDIRECT_URI]
    • The response will contain JSON with the refresh token property, as well as the access token, expire time, and token type.