Code Flow
The Authorization Code Flow (defined in OAuth 2.0 RFC 6749, section 4.1) allows to exchange a code obtained through the authorization with an access token.
The access token is then used to fetch user data from the oauth/userinfo
api endpoint. The Authorization Code Flow can only be used with confidential applications. This means that the secret can be kept secure and communication is done between backends. To authenticate from an SPA please refer to Code Flow(PKCE)(recommended), ID Token Flow or ID Token Flow.
Steps to perfom the flow
sequenceDiagram
participant Client
participant AuthServer as Authorization Server
participant User
Client->>AuthServer: Authorization Request
AuthServer->>User: User Login/Consent
User-->>AuthServer: User Grant
AuthServer-->>Client: Authorization Code
Client->>AuthServer: Token Request (with Authorization Code)
AuthServer->>AuthServer: Validate Authorization Code
AuthServer-->>Client: Access Token, Refresh Token
Client->>AuthServer: Userinfo Request (with Access Token)
AuthServer->>AuthServer: Validate Access Token
AuthServer-->>Client: Userinfo Response
- User clicks login in application
- Redirect to Unidy is performed including the Parameters required for the authorization request
- response_type parameter is set to
code
- response_type parameter is set to
- Unidy asks the User to login if not logged in yet
- Unidy requires user to fill out missing profile data if Required User Attributes are configured
- Unidy redirects back to the
redirect_uri
including a code paramter as fragment as default- When using response_mode
form_post
Unidy sends the code as form post
- When using response_mode
-
application extracts the code and sends the code to the
/oauth/token
endpoint with paramters below as json.Parameter Content client_id Unique identifier that corresponds to one of the UIDs in Unidy's partner Applications (provided by Unidy) client_secret Application secret provided by Unidy (Must be stored securely) redirect_uri Endpoint where the data from Unidy should be returned (must be HTTPS) grant_type Must be set to authorization_code
code code
obtained from authorization -
Unidy responds with:
{ "access_token": "zuc7faJYHTGqAn9z84Q6X4qyyfAVEbJOicsADSqBTM0", "token_type": "Bearer", "expires_in": 7200, "refresh_token": "HMNTpMQZPGqnff5MgLQuA2GMw_VG5JAaVIHFccOWKeI", "scope": "openid", "created_at": 1687446442, "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlYyck9HQnZVR2dLZG1fRHhGUzdfS1EtRUUzTXBfdlVkUnBQODlJY2xrMVEifQ.eyJpc3MiOiJodHRwczovL2J0Yy1lY2hvLnN0YWdpbmcudW5pZHkuZGUiLCJzdWIiOiJjOTVkNWQ3NS0wYjMyLTQyNzgtODMwNi0wYWRjZDE5NThhNWIiLCJhdWQiOiI5dHUxek1PU095bVoycUluaEZfNDZITl9xemdxY2M3MTBDUzI5NmlPSVRBIiwiZXhwIjoxNjg3NDQ2NTYyLCJpYXQiOjE2ODc0NDY0NDIsIm5vbmNlIjoiNThqZzMyeGQweG8iLCJhdXRoX3RpbWUiOjE2ODc0NDYxNzB9.ioVQsiM5nYkUS1zuwfgYvWGtTgH1bibV6MdeXCDJxrifnUBFxHg-CHVUeftkk0ZGZWSlvbkN62WR_FI43rwJbTIocEXmWGoG-EML738pT1zvRvDrO3hskExg51AwICUswIjENNxCdVSqCWWWMvTs0UgcwA55DauCZNqoJxkpOjY05kdFhOnCxCJ1q903L3r7Rw43yVXRQtzc-3sDnzog0wIm7w9Ysq6JoyUdmRw9ng5-fvEEu_ou9EDwVTfZ5PzTF-pfQXu-wsLWJExLT89lzEqjyd568lnJAtsj-q4JiJ-p3Dsu7B4nSprOU6BqeVZQnFMJJJFrqCviaqarFenaQQ" }
-
Application uses access token to fetch user data from
/oauth/userinfo
endpoint. The access token must be set within the authorization headerAuthorization: Bearer <YOUR ACCESS TOKEN>
Refresh Access Token
The access Tokens will expire after 2 hours. You can refresh access tokens without user interaction by using the provided refresh token.
To refresh an access token you need to call the /oauth/token
endpoint with the following parameters: