Authorization Code Flows
A server-side web application able to securely store secrets requires controlled code management. The authorization code flow is recommended.
Authorization Code Flow
- Your solution application connects the browser to the Fortellis Log In page for users to authenticate.
- The browser processes an authorization code from your Fortellis authorization server.
- Next, the authorization code is directed to your solution application.
- Your application sends this code to Fortellis and returns the access and ID tokens. A refresh token can be returned too (optional).
- These tokens are used by your solution to call the resource server for the user.
A request authenticates the user and returns tokens with an authorization grant to the client application as part of the callback response. Refer to the example below:
The passed parameters in the authentication are in the table below:
||Matches the API key for your solution.|
||Indicates we're using the authorization code grant type.|
||The /token endpoint will return an ID token.|
||The callback location where the user-agent will be directed to with the code. This must match one of the Callback URL you specified when you registered your solution.|
||An arbitrary alphanumeric string the authorization server will generate when redirecting the user-agent back to the client. It helps prevent cross-site request forgery.
Learn more about OAuth 2.0 API standards.
Users without an existing session are directed to the Fortellis Log In page. After sessioned users authenticate, they'll receive
redirect_uri and a code like the one below:
The user session code is valid for 60 seconds and can be exchanged for tokens.
Exchanging the Code for Tokens
To exchange the code for access and ID tokens, pass it to your authorization server’s token endpoint. See the example below:
curl --request POST \
--url https://identity.fortellis.io/oauth2/aus1p1ixy7YL8cMq02p7/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic MG9hY...' \
--header 'content-type: application/x-www-form-urlencoded' \
The following table defines the parameters that are passed in the exchange of code for tokens:
||The authorization_code, indicating the authorization code grant type is being used.|
||Must match the URI used to get the authorization code.|
||The authorization code received from the authorize endpoint.|
If the code is still valid, your application will receive the access and ID tokens:
The call to the token endpoint requires authentication. It's a Basic Auth digest of the API key (username) and API secret (password). Your API key and API secret are in your Fortellis developer account. This requirement is why this call is only appropriate for applications that can guarantee the protection of the client secret.