Authorization Code Flow

Authorize

GET <https://auth3.upbond.io/authorize>?
  audience=API_IDENTIFIER&
  scope=SCOPE&
  response_type=code&
  client_id=${account.clientId}&
  redirect_uri=${account.callback}&
  state=STATE

RESPONSE SAMPLE

HTTP/1.1 302 Found
Location: ${account.callback}?code=AUTHORIZATION_CODE&state=STATE

This is the OAuth 2.0 grant that regular web apps utilize to access an API.

Request Parameters

Parameter	Description
audience	The unique identifier of the target API you want to access.
scope	The scopes which you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes, such as profile and email, or custom claims that must conform to a namespaced format, or any scopes supported by the target API (e.g., read:contacts). Include offline_access to get a Refresh Token.
response_type Required	Indicates to Login 3.0 which OAuth 2.0 flow you want to use. Use code for Authorization Code Grant Flow.
client_id Required	Your application's ID.
state Recommended	An opaque value the application adds to the initial request that Login 3.0 includes when redirecting back to the application. This value must be used by the application to prevent CSRF attacks.
redirect_uri	The URL to which Login 3.0 will redirect the browser after authorization has been granted by the user.

Get Token

POST <https://auth3.upbond.io/oauth/token>
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=${account.clientId}&client_secret=YOUR_CLIENT_SECRET&code=AUTHORIZATION_CODE&redirect_uri=${account.callback}

curl --request POST \\
  --url '<https://auth3.upbond.io/oauth/token>' \\
  --header 'content-type: application/x-www-form-urlencoded' \\
  --data 'grant_type=authorization_code&client_id=${account.clientId}&client_secret=YOUR_CLIENT_SECRET&code=AUTHORIZATION_CODE&redirect_uri=${account.callback}'

var request = require("request");

var options = { method: 'POST',
  url: '<https://auth3.upbond.io/oauth/token>',
  headers: { 'content-type': 'application/x-www-form-urlencoded' },
  form:
   { grant_type: 'authorization_code',
     client_id: '${account.clientId}',
     client_secret: 'YOUR_CLIENT_SECRET',
     code: 'AUTHORIZATION_CODE',
     redirect_uri: '${account.callback}' }
   };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

RESPONSE SAMPLE:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

This is the flow that regular web apps use to access an API. Use this endpoint to exchange an Authorization Code for a token.

Request Parameters

Parameter	Description
grant_type Required	Denotes the flow you are using. For Authorization Code, use authorization_code.
client_id Required	Your application's Client ID.
client_secret Required	Your application's Client Secret.
code Required	The Authorization Code received from the initial /authorize call.
redirect_uri	This is required only if it was set at the /authorize endpoint. The values from /authorize must match the value you set at /oauth/token.