OAuth API¶
Auth¶
Authorization code request
- POST /oauth2/auth¶
-
Required auth level: OPEN
Authorized roles: ALL
Check that secret was entered correctly.
- GET /oauth2/auth¶
-
Required auth level: OPEN
Authorized roles: ALL
Authorization request
Request schema
-
response_type : String : required - Data required (new or existing on update)
Must be set to "code" client_id : String : required - Data required (new or existing on update)
Client id redirect_uri : String : optional : default=null - Optional
- URL
Redirect URI scope : String : optional : default=null - Optional
- Value in address, bankid, email, fodselsnummer, openid, phone, profile, shipping_address
List of space delimited scopes to request authorization for state : String : optional : default=null - Optional
Used to provde CSRF protection, optional but highly recommended
-
Token¶
Exchange authorization code for access token
- POST /oauth2/token¶
-
Required auth level: SECRET
Authorized roles: ALL
Token exchange
Request Headers: - Authorization -- Basic HTTP auth with client_id and client_password as per RFC2617
Response Headers: - Content-Type -- application/json
- Cache-Control -- no-store
- Pragma -- no-cache
Request schema
-
grant_type : String : required - Data required (new or existing on update)
Must be set to "authorization_code" code : String : required - Data required (new or existing on update)
The authorization code previously received redirect_uri : String : optional : default=null - Optional
- URL
Required if the redirect was included in authorization request client_id : String : required - Data required (new or existing on update)
Client id
Response schema
-
access_token : String : required - Data required (new or existing on update)
Access token id_token : String : optional : default=null - Optional
A JWT that contains identity information about the user that is digitally signed by mCASH. Always present for OpenID scopes. Described in OpenID ID token. token_type : String : required - Data required (new or existing on update)
Type of access token, at this time it will always be Bearer expires_in : Integer : optional : default=null - Optional
Lifetime in seconds of the access token refresh_token : String : optional : default=null - Optional
Refresh token used to issue new access token after expiration scope : String : optional : default=null - Optional
- Value in address, bankid, email, fodselsnummer, openid, phone, profile, shipping_address
Space-delimited list of scopes. Any of: "openid" (static id), "address" (user preferred address), "profile" (name), "phone", "email", "shipping_address", "fodselsnummer" currency : Currency : optional : default=null - Optional
- length == 3
Currency for fee fee : Money : optional : default="0.00" Authorization fee to be deducted from settlement report_id : String : optional : default=null The Report that this authorization is included in state : String : optional : default=null - Optional
State parameter from authorization request
Fatal error¶
Endpoint for errors in the OAuth request.
Qrimage¶
A handler that will generate a QR code image from a login cookie
The QR code is encoded again with QR specific salt to make it different from the cookie
Authorization request¶
Authorization request handler
This is where client redirects to, providing required variables client_id, state and optional variables scope, response_type and redirect. Optional variables can be looked up from client info if not provided.
provider.pre_authorization_view runs oauthlib.validate_authorization_request checking the request data, before creating AuthorizationRequest in handler.
The AuthorizationRequest id can be used for QR scan and scan handling, channel messages to browser and when redirecting back to client.
- GET /oauth2/pre_auth¶
-
Required auth level: TWOFACTOR
Authorized roles: ALL
kwargs contains client credentials, matching properties of AuthorizationRequest
- POST /oauth2/post_auth/<request_id>¶
-
Required auth level: TWOFACTOR
Authorized roles: ALL
Look up authorization request from request_id and return scope and credentials to oauthlib