Use this flow, when you need to authenticate the user and need his authorization to make API calls on his behalf.
The exchange of code for an access token requires the client secret information. It must be done from a secure backend to not expose confidential secrets.
Not all API endpoints can be used to make calls on behalf of the user.
How it works
This flow requires the response_type=code parameter to indicate that you request an authorization code.
See the OIDC Details and Parameters for the full parameter lists.
Also check the documentation for OIDC Refresh Token on how to renew the access token.
Example
Authentication Request
The parameters in detail:
Parameter | Description |
client_id | You will receive the client id from the Unidy team. |
redirect_uri | This is where the browser is redirected after a successful login. |
response_type | code indicates, that an authorization code is requested. |
scope | The access token will have those API rights. |
The response will be a redirect to an URL containing the authorization code:
https://docs.unidy.io/?code=S0KUZx5v5VvjuJ2UDX4rFP6MtS7aJQMQTroSscPqImc
Token Request
Request an access token in exchange for the authorization code
curl -X 'POST' \
'https://demo.unidy.de/oauth/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "ileuI8NDtt1WXEdp6xzekX7o7Sjp-m0lnQbWetmR4iQ",
"client_secret": "<CLIENT_SECRET>",
"code": "S0KUZx5v5VvjuJ2UDX4rFP6MtS7aJQMQTroSscPqImc",
"grant_type": "authorization_code",
"redirect_uri": "https://docs.unidy.io"
}'The response from the server has the following JSON format
{
"access_token":"<ACCESS_TOKEN>",
"token_type":"Bearer",
"expires_in":7200,
"refresh_token":"<REFRESH_TOKEN>",
"scope":"tickets:read tickets:write",
"created_at":1234567890
}Also check the documentation for OIDC Refresh Token on how to renew the access token.