Aidbox
Aidbox
Aidbox.Dev
Aidbox.Cloud
Aidbox.One
Fhirbase
Getting started
Features
Licensing and Support
Versioning & Release Notes
Installation
Basics
Advanced
Auth
Basic Auth
Client Credentials Grant
Resource Owner Grant
Authorization Code Grant
Implicit Grant
Validating Foreign Access Tokens
External Oauth 2.0 Providers
Two Factor Authentication
SMART on FHIR
Configuration options
Discovery API
Access Control
Terminology
Aidbox SDK
Integrations
Tutorials
Administration
Powered by GitBook

Authorization Code Grant

Description

The Authorization Code Grant is an OAuth 2.0 flow that regular web apps use in order to access an API, typically as web applications with backend and frontend (browser-based SPA, for example). This flow doesn't use client-secret due to security considerations - frontend application source code is available in a browser. Instead, user authorises the application and gets redirected back to it with a temporary access code in the URL. Application exchanges that code for the access token. For more detailed information read OAuth 2.0 specification.

Basic scheme

Configure Client

First step is to configure Client for Authorization Grant with secret and redirect_uri, as well code grant type:

client
client
PUT /Client/webapp
​
secret: verysecret
first_party: true
grant_types:
  - code
auth:
  authorization_code:
    redirect_uri: 'http://myapp.app'
    access_token_expiration: 360
    token_format: jwt
    secret_required: true
    refresh_token: true

Client will act on behalf of the user, which means Access Policies should be configured for User, not for Client.

You can configure Client for JWT tokens, set token expiration and enable refresh token:

auth.authorization_code.

options

desc

token_format

jwt

use access token in jwt format

token_expiration

int (seconds)

token expiration time from issued at

refresh_token

true/false

enable refresh_token

secret_required

true/false

require secret for token

If you want to use Authorization Code Grant for Single Page Application you do not need secret attribute to be set!

If your application is a major consumer of Aidbox API you can set first_party attribute into true. This means that the same User Session will be shared between Aidbox and client, so if you close client session Aidbox User Session will be closed too.

Get Code

Next step is to redirect user from your application to authorize endpoint with client_id and response_type - code:

https://<box>.aidbox.app/auth/authorize?client_id=webapp&response_type=code&state=...

To keep you client stateless you can send state parameter with arbitrary content, which will be send you back on redirect.

If user is not logged in then she will see the login screen.

If client is not first_party or user not yet granted permissions to client, user will see grant page:

If client granted permissions, user agent will be redirected to url configured in Client.auth.authorization_code.redirect_uri with authorization code parameter.

<redirect_uri>?code=****&state=***

Get Access Token

With this code and client secret you can request for Access Token withgrant_type: authorization_code.

json-request
json-request
POST /auth/token
Content-Type: application/json
{
 "client_id": "web-app",
 "client_secret": "verysecret",
 "code": <code>,
 "grant_type": "authorization_code"
}

If provided code is accurate, you get access token, user information and refresh token (if enabled):

token-response
token-response
status: 200
​
{
 "token_type": "Bearer",
 "expires_in": 3600,
 "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiJ1c2VyIiwiaWF0IjoxNTU0NDczOTk3LCJqdGkiOiI0ZWUwZDY2MS0wZjEyLTRlZmItOTBiOS1jY2RmMzhlMDhkM2QiLCJhdWQiOiJodHRwOi8vcmVzb3VyY2Uuc2VydmVyLmNvbSIsImV4cCI6MTU1NDQ3NzU5N30.lCdwkqzFWOe4IcXPC1dIB8v7aoZdJ0fBoIKlzCRFBgv4YndSJxGoJOvIPq2rGMQl7KG8uxGU0jkUVlKxOtD8YA",
 "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiJwYXNzd29yZC1jbGllbnQiLCJqdGkiOiI0ZWUwZDY2MS0wZjEyLTRlZmItOTBiOS1jY2RmMzhlMDhkM2QiLCJ0eXAiOiJyZWZyZXNoIn0.XWHYpw0DysrqQqMNhqTPSdNamBM4ZDUAgh_VupSa7rkzdJ3uZXqesoAo_5y1naJZ31S92-DjPKtPEAyD_8PloA",
 "userinfo": {
  "email": "user@mail.com",
  "id": "user",
  "resourceType": "User",
 }
}

Use Access Token

You can use access token in Authorization header for Aidbox API calls:

authorized-request
authorized-request
GET /Patient
Authorization: Bearer ZjQyNGFhY2EtNTY2MS00NjVjLWEzYmEtMjIwYjFkNDI5Yjhi
curl -H 'Authorization: Bearer ZjQyNGFhY2EtNTY2MS00NjVjLWEzYmEtMjIwYjFkNDI5Yjhi' /Patient

Revoke Access Token (Close Session)

Aidbox creates Session resource for each Access Token which can be closed with special endpoint DELETE /Session with token in Authorization header:

close-session
close-session
DELETE /Session
Authorization: Bearer ZjQyNGFhY2EtNTY2MS00NjVjLWEzYmEtMjIwYjFkNDI5Yjhi

Session is just a resource and you can inspect and manipulate sessions with standard Search & CRUD API. For example, to get all sessions initiate GET /Session

Auth Sandbox Demo

​

Previous
Resource Owner Grant
Next
Implicit Grant
2
Last updated 3 months ago
Contents
Configure Client
Get Code
Get Access Token
Use Access Token
Revoke Access Token (Close Session)
Auth Sandbox Demo