# OAUTH 2.0 information
The Signicat identity broker supports the most commonly used OAUTH 2.0 flows: Authorisation Code Grant and Grant.
# Authorisation Code grant flow
The Authorisation Code grant type is used by clients to exchange an authorisation code for an access token. See https://oauth.net/2/grant-types/authorization-code/ (opens new window) for a detailed description of the flow.\
Example of authorisation request
<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=<scope>
| ID | Value | Description |
|---|---|---|
| client_id | Unique identifier | Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration. |
| redirect_uri | URL | The URL on your service that will receive the response. |
| response_type | "code" | This value must be set to "code" to retrieve an Authorisation Token. |
| scope | Optional field | Via some OAuth servers, the client can specify the scope of the request. |
Example of authorisation response
<redirect_uri>?code=<authorization_token>
Before the <authorisation_token> is sent, the user must first authenticate themselves via an identity provider.
# Example messages for Access Token endpoint
Access Token request (POST method)
<base_url>/access_token?client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&code=<code>&redirect_uri=<redirect_uri>
The parameters should be send in the request body with Content-Type header: application/x-www-form-urlencoded.
| ID | Value | Description |
|---|---|---|
| client_id | Unique identifier | Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration. |
| redirect_uri | URL | The URL on your service that will receive the response. |
| grant_type | "authorisation_code" | Must be set to this value to receive an Access Token. |
| client_secret | Unique identifier | A secret key agreed upon between your service and the Signicat Identity Broker. |
| code | Unique identifier | This is the Authorisation Token returned by the Signicat Identity Broker from the authorisation endpoint. |
Access Token response (JSON format)
{
"access_token":"<access_token>",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"<refresh_token>",
}
| ID | Value | Description |
|---|---|---|
| access_token | Unique identifier | The Access Token returned by the Signicat Identity Broker. |
| token_type | "Bearer" | |
| expires_in | Integer | Defines the time (in seconds) when the Access Token will expire. |
| refresh_token | Unique identifier | The Refresh Token returned by the Signicat Identity Broker. |
# Example messages for user info endpoint
User info request (GET method)
<base_url>/<access_token>
User Info response (JSON format)
{ "nameId": "<some_name>",
"userAttributes" :
[
"name": ["<attribute_value1>", <attribute_value2>, ...],
]
}
# Implicit grant flow
This flow can be used by applications running in the browser that cannot securely store a shared secret. In this case, the access token is directly returned upon user authentication and authorisation.
See https://oauth.net/2/grant-types/implicit/ (opens new window) for a detailed description of the flow.
# Example messages for Authorisation endpoint
Authorisation request
<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=<scope>&state=<state>
| ID | Value | Description |
|---|---|---|
| client_id | Unique identifier | Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration. |
| redirect_uri | URL | The URL on your application that will receive the response. |
| response_type | "Token" | This value must be set to "token" to retrieve an Access Token. |
| scope | Optional field | At some OAuth servers, the client can specify the scope of the request. |
| state | Recommended unique identifier | An opaque value used by the client to prevent cross-site request forgery. |
Authorisation response
<redirect_uri>?code=<access_token>&state=<state>&token_type=bearer&expires_in=<expires_in>
| ID | Value | Description |
|---|---|---|
| access_token | Unique identifier | The Access Token returned by the Signicat identity broker. |
| state | Unique identifier | The same value as sent in the request. |
| token_type | “Bearer” | |
| expires_in | Integer | Defines the time (usually in seconds) when the Access Token will expire. |