Authorization

OAuth 2.0 Grant Types

The OAuth 2.0 framework specifies several grant types for different use cases as well as a framework for creating new grant types. The most common OAuth 2.0 grant types are listed below.

  • Authorization Code
  • Password
  • Refresh Token

OAuth 2.0 Authorization Code Grant Type

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.

After a user login request is made, the user is returned to the application/client via a redirect URL. The application will get the authorization code from the URL and use it to request an access token from the token API endpoint. After a token is granted, the application/client can use that token to make API requests.

Example of the Authorization Code Grant Type Using Zapier

  • Application/Client ID: Zapier
  • Authorization URL: https://data.emergencyreporting.com/auth/Authorize.php
  • Redirect URL: https://zapier.com/dashboard/auth/oauth/return/App55555API/

Get the User's Permission

<?php

$request = new HttpRequest();
$request->setUrl('https://data.emergencyreporting.com/auth/Authorize.php');
$request->setMethod(HTTP_METH_POST);

$request->setHeaders(array(
    'cache-control' => 'no-cache',
    'Content-Type' => 'application/json',
    'Ocp-Apim-Subscription-Key' => 'xxxxxproductsubscriptionkeyxxxxx'
));

$request->setBody('{
    "response_type": "code",
    "client_id": "Zapier",
    "username" : "xxxxxxxx",
    "password" : "xxxxxxxx",
    "state" : "xyz"
}');

try {
    $response = $request->send();

echo $response->getBody();
} catch (HttpException $ex) {
    echo $ex;
}

Exchange the Authorization Code for an Access Token

<?php

$request = new HttpRequest();
$request->setUrl('https://data.emergencyreporting.com/authtoken/Token.php');
$request->setMethod(HTTP_METH_POST);

$request->setHeaders(array(
    'cache-control' => 'no-cache',
    'Ocp-Apim-Subscription-Key' => 'xxxxxproductsubscriptionkeyxxxxx',
    'Content-Type' => 'application/json'
));

$request->setBody('{
    "grant_type": "authorization_code",
    "code": "xxxxxxxxxxauthorizationcodexxxxxxxxxxxx",
    "client_id": "Zapier",
    "client_secret": "xxxxxxxxxxclientsecretxxxxxxxxxxx",
    "redirect_uri": "https://zapier.com/dashboard/auth/oauth/return/App55555API/"
}
');

try {
    $response = $request->send();

echo $response->getBody();
} catch (HttpException $ex) {
    echo $ex;}

Verifying the authorization code grant

After checking for all required parameters and authenticating the client, our authorization server will continue verifying the other parts of the request. The server then checks if the authorization code is valid and has not yet expired.

If everything checks out, the authorization server will generate an access token and respond.

{
    "access token": "xxxxxxxxxxaccesstokenxxxxxxxxxxxxxxxxxxx",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": null,
    "refresh_token": "xxxxxxxxxxrefreshtokenxxxxxxxxxxxxxxxxxx"
}

OAuth 2.0 Password Grant Type

The OAuth 2.0 Password Grant Type is a way to get an access token after providing a username and password. This grant type is commonly used during development and may not always be available to third party developers.

The Password grant is one of the simplest OAuth grants and involves only one step. The application presents a traditional username and password login form to collect user credentials and makes a POST request to the server to exchange the password for an access token. An example Password Grant POST request an application would make can be found below.

Exchange the Password for an Access Token

<?php

$request = new HttpRequest();
$request->setUrl('https://data.emergencyreporting.com/authpass/Token.php');
$request->setMethod(HTTP_METH_POST);

$request->setHeaders(array(
    'cache-control' => 'no-cache',
    'Content-Type' =>
    'application/json'
));

$request->setBody('{
    "grant_type": "password",
    "client_id": "Zapier",
    "client_secret": "434345353646547576868xcsfsfge3435",
    "username" : "xxxxxxx",
    "password" : "xxxxx"
}');

try { $response = $request->send(); echo $response->getBody(); } catch (HttpException $ex) { echo $ex; }

If the request was successful, the authorization server will generate an access token.

{
    "access token": "xxxxxxxxxxaccesstokenxxxxxxxxxxxxxxxxxxx",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": null,
    "refresh_token": "xxxxxxxxxxrefreshtokenxxxxxxxxxxxxxxxxxx"
}

Back to Top