-
Notifications
You must be signed in to change notification settings - Fork 0
OAuth2
To connect to the fryd AP, first you have to register the application at fryd. You need the following information:
- Application-name
- An icon for the application (OPTIONAL)
- The URL the the application homepage
- A short description of the application
- A link to the privacy policies of the application
- A redirect URL
All these things must be given, if you want to become a developer and to create an API connection. fryd generates a ''client_id'' and a ''client_secret''.
Fryd can be used to handle the user authorization and an responds an authorization code if the login was successful. The following parameter are needed for the authorization:
- client_id
- redirect_url
-
state Parameter is optional.
Example response after successful login:
https://sampleApp.com/callback_login?code=g0ZGZmNjVmOWI&state=xcoivjuywk
The user makes an authorization request over the external application, which should be implemented as a link. The following parameter are needed for the authorization:
- client_id
- redirect_url
- response_type must be code
-
state Parameter is optional.
The user should be getting to a popup window of fryd, where he must login with his fryd account. After that he sees which rights and information the external application want to have/know from fryd about the user. The user can then decide if he accepts or declines. If he accepts than fryd sends an authorization code using the applications redirect URL.
Example response:
https://sampleApp.com/callback?code=g0ZGZmNjVmOWI&state=xcoivjuywk
To get an access and a refresh token with the authorization code, the external application need to do a POST request to the fryd OAuth2 Service Endpoint. The following parameter are needed:
- grant_type: REQUIRED. Should be "authorization_code".
- code: REQUIRED. Should be the ''Authorization Code''.
- redirect_uri: REQUIRED.
- client_id: REQUIRED.
- client_secret: REQUIRED.
- state: OPTIONAL.
Example:
POST /auth/token HTTP/1.1
Host: api.fryd.zone
grant_type=authorization_code
&code=xxxxxxxxxxx
&redirect_uri=https://sampleApp.com/redirect
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
&state=12345678
Fryd generates an access token and a refresh token if everything is correct. The access token is valid for 7 day, the refresh token 14. Also the refresh token can be used only once.
Example response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
"token_type":"bearer",
"expires_in":86400,
"refresh_token":"IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
"scope":"info+check",
"state":"12345678"
}
The exchange work similar to the authorization code exchange. With a POST request to the fryd OAuth2 Service Endpoint with the same parameters. Only instead to code as "grant_type" use refresh_token.
Example:
POST /auth/token HTTP/1.1
Host: api.fryd.zone
grant_type=refresh_token
&refresh_token=xxxxxxxxxxx
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
&state=12345678
The exchange work similar to the authorization code exchange with an POST request to the fryd OAuth2 Service Endpoint. But the application identifies itself by its client credentials and the "grant_type" is client_credentials. The access token that fryd sends in this workflow back can only be used to get information about the application itself. Not for getting any kind of user information or for tracking any trophies.
Example:
POST /auth/token HTTP/1.1
Host: api.fryd.zone
grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
&state=12345678