Skip to content

Code Flow

The Authorization Code Flow (defined in OAuth 2.0 RFC 6749, section 4.1) allows to exchange a code obtained through the authorization with an access token.

The access token is then used to fetch user data from the oauth/userinfo api endpoint. The Authorization Code Flow can only be used with confidential applications. This means that the secret can be kept secure and communication is done between backends. To authenticate from an SPA please refer to Code Flow(PKCE)(recommended), ID Token Flow or ID Token Flow.

Steps to perfom the flow

sequenceDiagram
    participant Client
    participant AuthServer as Authorization Server
    participant User

    Client->>AuthServer: Authorization Request
    AuthServer->>User: User Login/Consent
    User-->>AuthServer: User Grant
    AuthServer-->>Client: Authorization Code
    Client->>AuthServer: Token Request (with Authorization Code)
    AuthServer->>AuthServer: Validate Authorization Code
    AuthServer-->>Client: Access Token, Refresh Token
    Client->>AuthServer: Userinfo Request (with Access Token)
    AuthServer->>AuthServer: Validate Access Token
    AuthServer-->>Client: Userinfo Response
  1. User clicks login in application
  2. Redirect to Unidy is performed including the Parameters required for the authorization request
    • response_type parameter is set to code
  3. Unidy asks the User to login if not logged in yet
  4. Unidy requires user to fill out missing profile data if Required User Attributes are configured
  5. Unidy redirects back to the redirect_uri including a code paramter as fragment as default
    • When using response_mode form_post Unidy sends the code as form post

  6. application extracts the code and sends the code to the /oauth/token endpoint with paramters below as json.

    Parameter Content
    client_id Unique identifier that corresponds to one of the UIDs in Unidy's partner Applications (provided by Unidy)
    client_secret Application secret provided by Unidy (Must be stored securely)
    redirect_uri Endpoint where the data from Unidy should be returned (must be HTTPS)
    grant_type Must be set to authorization_code
    code code obtained from authorization

  7. Unidy responds with: 

    {
    "access_token": "zuc7faJYHTGqAn9z84Q6X4qyyfAVEbJOicsADSqBTM0",
    "token_type": "Bearer",
    "expires_in": 7200,
    "refresh_token": "HMNTpMQZPGqnff5MgLQuA2GMw_VG5JAaVIHFccOWKeI",
    "scope": "openid",
    "created_at": 1687446442,
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlYyck9HQnZVR2dLZG1fRHhGUzdfS1EtRUUzTXBfdlVkUnBQODlJY2xrMVEifQ.eyJpc3MiOiJodHRwczovL2J0Yy1lY2hvLnN0YWdpbmcudW5pZHkuZGUiLCJzdWIiOiJjOTVkNWQ3NS0wYjMyLTQyNzgtODMwNi0wYWRjZDE5NThhNWIiLCJhdWQiOiI5dHUxek1PU095bVoycUluaEZfNDZITl9xemdxY2M3MTBDUzI5NmlPSVRBIiwiZXhwIjoxNjg3NDQ2NTYyLCJpYXQiOjE2ODc0NDY0NDIsIm5vbmNlIjoiNThqZzMyeGQweG8iLCJhdXRoX3RpbWUiOjE2ODc0NDYxNzB9.ioVQsiM5nYkUS1zuwfgYvWGtTgH1bibV6MdeXCDJxrifnUBFxHg-CHVUeftkk0ZGZWSlvbkN62WR_FI43rwJbTIocEXmWGoG-EML738pT1zvRvDrO3hskExg51AwICUswIjENNxCdVSqCWWWMvTs0UgcwA55DauCZNqoJxkpOjY05kdFhOnCxCJ1q903L3r7Rw43yVXRQtzc-3sDnzog0wIm7w9Ysq6JoyUdmRw9ng5-fvEEu_ou9EDwVTfZ5PzTF-pfQXu-wsLWJExLT89lzEqjyd568lnJAtsj-q4JiJ-p3Dsu7B4nSprOU6BqeVZQnFMJJJFrqCviaqarFenaQQ"
}

  8. Application uses access token to fetch user data from /oauth/userinfo endpoint. The access token must be set within the authorization header

    Authorization: Bearer <YOUR ACCESS TOKEN>

Refresh Access Token

The access Tokens will expire after 2 hours. You can refresh access tokens without user interaction by using the provided refresh token. To refresh an access token you need to call the /oauth/token endpoint with the following parameters:

{
   "refresh_token":"<YOUR REFRESH TOKEN>",
   "grant_type":"refresh_token",
   "client_id":"<YOUR CLIENT ID>",
   "client_secret": "<YOUR SECRET>"
}