OAuth API

Auth

Authorization code request

POST /oauth2/auth

Required auth level: OPEN

Authorized roles: ALL

Check that secret was entered correctly.

GET /oauth2/auth

Required auth level: OPEN

Authorized roles: ALL

Authorization request

Request schema

response_type : String : required
  • Data required (new or existing on update)
Must be set to "code"
client_id : String : required
  • Data required (new or existing on update)
Client id
redirect_uri : String : optional : default=null
  • Optional
  • URL
Redirect URI
scope : String : optional : default=null
  • Optional
  • Value in address, bankid, email, fodselsnummer, openid, phone, profile, shipping_address
List of space delimited scopes to request authorization for
state : String : optional : default=null
  • Optional
Used to provde CSRF protection, optional but highly recommended

Token

Exchange authorization code for access token

POST /oauth2/token

Required auth level: SECRET

Authorized roles: ALL

Token exchange

Request Headers:
 
  • Authorization -- Basic HTTP auth with client_id and client_password as per RFC2617
Response Headers:
 
  • Content-Type -- application/json
  • Cache-Control -- no-store
  • Pragma -- no-cache

Request schema

grant_type : String : required
  • Data required (new or existing on update)
Must be set to "authorization_code"
code : String : required
  • Data required (new or existing on update)
The authorization code previously received
redirect_uri : String : optional : default=null
  • Optional
  • URL
Required if the redirect was included in authorization request
client_id : String : required
  • Data required (new or existing on update)
Client id

Response schema

access_token : String : required
  • Data required (new or existing on update)
Access token
id_token : String : optional : default=null
  • Optional
A JWT that contains identity information about the user that is digitally signed by mCASH. Always present for OpenID scopes. Described in OpenID ID token.
token_type : String : required
  • Data required (new or existing on update)
Type of access token, at this time it will always be Bearer
expires_in : Integer : optional : default=null
  • Optional
Lifetime in seconds of the access token
refresh_token : String : optional : default=null
  • Optional
Refresh token used to issue new access token after expiration
scope : String : optional : default=null
  • Optional
  • Value in address, bankid, email, fodselsnummer, openid, phone, profile, shipping_address
Space-delimited list of scopes. Any of: "openid" (static id), "address" (user preferred address), "profile" (name), "phone", "email", "shipping_address", "fodselsnummer"
currency : Currency : optional : default=null
  • Optional
  • length == 3
Currency for fee
fee : Money : optional : default="0.00"
Authorization fee to be deducted from settlement
report_id : String : optional : default=null
The Report that this authorization is included in
state : String : optional : default=null
  • Optional
State parameter from authorization request

Fatal error

Endpoint for errors in the OAuth request.

Qrimage

A handler that will generate a QR code image from a login cookie

The QR code is encoded again with QR specific salt to make it different from the cookie

Authorization request

Authorization request handler

This is where client redirects to, providing required variables client_id, state and optional variables scope, response_type and redirect. Optional variables can be looked up from client info if not provided.

provider.pre_authorization_view runs oauthlib.validate_authorization_request checking the request data, before creating AuthorizationRequest in handler.

The AuthorizationRequest id can be used for QR scan and scan handling, channel messages to browser and when redirecting back to client.

GET /oauth2/pre_auth

Required auth level: TWOFACTOR

Authorized roles: ALL

kwargs contains client credentials, matching properties of AuthorizationRequest

POST /oauth2/post_auth/<request_id>

Required auth level: TWOFACTOR

Authorized roles: ALL

Look up authorization request from request_id and return scope and credentials to oauthlib