Skip to main content

Authorization Code Flow

This flow is used when the client does not want to create their own login page, but still wants refresh token ability.

Raven recommends this flow because the user only has to login once and then the refresh token can be used to retrieve access tokens going forward.

  1. The flow starts by redirecting the user to the authorize endpoint user a URL.
    • The URL contains the client ID, requested scopes, and redirection URI to which the authorization web service sends the user after access is granted or denied.
    • This appears in the following format:
    https://auth.agsync.com/core/connect/authorize?response_type=code&state=STATE&client_id=CLIENTID&scope=openid%20profile%20email%20agsync%20roles%20offline_access&redirect_uri=[REDIRECT_URI]
  2. The user is prompted for his or her sign-in credentials and grants or denies the client's access request.
  3. If the user has granted access, the token server redirects the user to the client by using the redirection URI that was provided in the initial request.
    • The redirection is done via a form post to the redirection URI. The access token, identity token, scope and expiration are included in the form post.
    • For example:
    <form
    method="post"
    action="REDIRECT_URI"
    >
    <input
    type="”hidden”"
    name="”code”"
    value="”CODE”"
    />
    <input
    type="hidden"
    name="state"
    value="STATE"
    />
    </form>
    • Using the “code” in the response, the client will then need to make another call to the token endpoint for a access token or a refresh token:
    POST /core/connect/token HTTP/1.1
    Host: auth.agsync.com
    Authorization: Basic [Client ID and secret base64 encoded]
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&code=[CODE]&redirect_uri=[REDIRECT_URI]
    • The response will contain JSON with the property “refresh token” as well as the access token, expire time, and token type.