Authorization Code Flow

Authorize

GET <https://auth3.upbond.io/authorize>?
  audience=API_IDENTIFIER&
  scope=SCOPE&
  response_type=code&
  client_id=${account.clientId}&
  redirect_uri=${account.callback}&
  state=STATE

RESPONSE SAMPLE

HTTP/1.1 302 Found
Location: ${account.callback}?code=AUTHORIZATION_CODE&state=STATE

This is the OAuth 2.0 grant that regular web apps utilize to access an API.

Request Parameters

Parameter
Description

audience

The unique identifier of the target API you want to access.

scope

The scopes which you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes, such as profile and email, or custom claims that must conform to a namespaced format, or any scopes supported by the target API (e.g., read:contacts). Include offline_access to get a Refresh Token.

response_type Required

Indicates to Login 3.0 which OAuth 2.0 flow you want to use. Use code for Authorization Code Grant Flow.

client_id Required

Your application's ID.

state Recommended

An opaque value the application adds to the initial request that Login 3.0 includes when redirecting back to the application. This value must be used by the application to prevent CSRF attacks.

redirect_uri

The URL to which Login 3.0 will redirect the browser after authorization has been granted by the user.

Get Token

POST <https://auth3.upbond.io/oauth/token>
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=${account.clientId}&client_secret=YOUR_CLIENT_SECRET&code=AUTHORIZATION_CODE&redirect_uri=${account.callback}
curl --request POST \\
  --url '<https://auth3.upbond.io/oauth/token>' \\
  --header 'content-type: application/x-www-form-urlencoded' \\
  --data 'grant_type=authorization_code&client_id=${account.clientId}&client_secret=YOUR_CLIENT_SECRET&code=AUTHORIZATION_CODE&redirect_uri=${account.callback}'
var request = require("request");

var options = { method: 'POST',
  url: '<https://auth3.upbond.io/oauth/token>',
  headers: { 'content-type': 'application/x-www-form-urlencoded' },
  form:
   { grant_type: 'authorization_code',
     client_id: '${account.clientId}',
     client_secret: 'YOUR_CLIENT_SECRET',
     code: 'AUTHORIZATION_CODE',
     redirect_uri: '${account.callback}' }
   };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

RESPONSE SAMPLE:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

This is the flow that regular web apps use to access an API. Use this endpoint to exchange an Authorization Code for a token.

Request Parameters

Parameter
Description

grant_type Required

Denotes the flow you are using. For Authorization Code, use authorization_code.

client_id Required

Your application's Client ID.

client_secret Required

Your application's Client Secret.

code Required

The Authorization Code received from the initial /authorize call.

redirect_uri

This is required only if it was set at the /authorize endpoint. The values from /authorize must match the value you set at /oauth/token.

PreviousAuthorize ApplicationNextAuthorization Code Flow with PKCE

Last updated

Was this helpful?