Screenshot New Years Sale Get the "ALL ACCESS PASS" and Save $349. Unlimited Licenses.
Show All Access Pass

Authorization Code

Published: October 2, 2018 | Updated: January 14th, 2020
  1. Home
  2. Docs
  3. General
  4. Grant Types
  5. Authorization Code

Overview

The Authorization Code grant type is a 2 part process. The code token must be requested and then exchanged for an access token.

Getting an Auth Code

GET
/oauth/authorize

Request

  • client_id (required)– The client ID making the request
  • redirect_uri (optional|required) – The URL which to redirect back to. This parameter is required if there is not redirect URI defined in the client settings AND OR if “enforce redirect URI” is set in the plugin settings.
  • response_type (required) – Must be set to “code”
  • scope (optional) – Space delimited scope
  • state (optional) – Client generated CSRF token. This value will be passed back to the client.

Response

  • code (string) – The authorization code.
  • state (mixed) – If a state parameter were supplied in the request, it would be returned.

Gaining an Access Token

Once you have the authorization code, you must make another request to obtain an access token. The authorization code is only valid for approximately 30 seconds.

Request

POST
oauth/token
Authorization: Basic {base64 encoded client_id:client_secret}
  • grant_type (required) – Must be “authorization_code”
  • code (required) – The code returned from the authorization server
  • client_id (optional) – The client id
  • client_secret (optional) – The client secret
  • redirect_uri (optional) – URL to redirect the user back to
  • state (optional|required) – CSRF Token. Required if “enforce state” is enabled.

– The parameters “client_id” and “client_secret” should be sent using header authorization when possible but body request is supported.

FAST CGI and CGI users may experience issues with header authorization. See https://wp-oauth.com/docs/common-issues/header-authorization-may-not-work-as-expected/.

Response

The response will be in JSON format

  • access_token – The access token
  • expires_in – Time the access token expires in seconds from current time
  • token_type – Type of token. “Bearer” is only supported
  • scope – The scopes authorized for this access token
  • refresh_token – The refresh token
{
 "access_token": "aph6jiiwsvgyt9j4fohayegypbo65f8fpjodpdckuiqho0p4wf",
 "expires_in": 3600,
 "token_type": "Bearer",
 "scope": "basic",
 "refresh_token": "g1b4cph2kjnwojzofajvqsfzb2oltjthtermizvlnzsaqjl2o9"
}

Requesting the user information using the newly obtained access token is straight forward.

curl -X GET \
  https://your-server.com/oauth/me/ \
  -H 'Bearer: aph6jiiwsvgyt9j4fohayegypbo65f8fpjodpdckuiqho0p4wf' \
  -H 'cache-control: no-cache'


In the event that the server is running CGI, header authorization may fail. If this happens, you can send the access token to the “me” endpoint as a GET variable. If you send the access token via the URL instead of a Bearer Token be sure to use HTTPS.

Icon