Call Your API Using the Hybrid Flow
This tutorial will guide you in calling your API using the Hybrid Flow. For details about how the flow works and why to use it, refer to Hybrid Flow.
Login 3.0 simplifies implementing the Hybrid Flow, enabling applications to securely exchange authorization codes for tokens and call protected APIs.
Prerequisites
Before starting:
Register your Application with Login 3.0:
Choose the appropriate Application Type.
Set an Allowed Callback URL (e.g.,
https://yourApp/callback).Ensure your Application's Grant Types include both Implicit and Authorization Code.
Configure Refresh Tokens (Optional):
Include the
Refresh Tokengrant type if your application requires token renewal.
Register your API with Login 3.0:
Enable
Allow Offline Accessto support Refresh Tokens when tokens expire.
Define Scopes:
Include the scopes required by your API (e.g.,
openid email profile).
Authorize User
Request user authorization and redirect back to your application with an authorization code. This step may involve:
Authenticating the user.
Redirecting to an external Identity Provider for authentication.
Checking for active Single Sign-On (SSO) sessions.
Obtaining user consent for permissions (if not previously granted).
Example Authorization URL
https://{yourDomain}/authorize?
response_type=code id_token&
response_mode=form_post&
client_id={yourClientId}&
redirect_uri={<https://yourApp/callback>}&
scope=SCOPE&
audience=API_AUDIENCE&
state=STATE&
nonce=NONCEParameters:
response_type
Indicates the credentials to return (e.g., code, id_token, code id_token).
response_mode
Specifies how response parameters are returned (e.g., form_post).
client_id
Your application's Client ID.
redirect_uri
The URL to which Login 3.0 redirects after authorization. Must match your Application settings.
scope
A space-separated list of scopes (e.g., profile email openid).
audience
The unique identifier of the API you want to access.
state
A random string for CSRF protection.
nonce
A cryptographically random string to prevent token replay attacks.
Request Tokens
After obtaining an authorization code, exchange it for tokens at the Login 3.0 Token Endpoint (/oauth/token).
Example POST Request to Token Endpoint
curl --request POST \\
--url 'https://{yourDomain}/oauth/token' \\
--header 'content-type: application/x-www-form-urlencoded' \\
--data grant_type=authorization_code \\
--data 'client_id={yourClientId}' \\
--data 'client_secret={yourClientSecret}' \\
--data 'code={yourAuthorizationCode}' \\
--data 'redirect_uri={<https://yourApp/callback>}'
Parameters:
grant_type
Set this to authorization_code.
code
The authorization code obtained from the authorization step.
client_id
Your application's Client ID.
client_secret
Your application's Client Secret.
redirect_uri
The valid callback URL set in your Application settings.
Response:
{
"access_token": "eyJz93a...k4laUWw",
"refresh_token": "GEbRxBN...edjnXbL",
"id_token": "eyJ0XAi...4faeEoQ",
"token_type": "Bearer"
}
Call API
To call your API, pass the Access Token as a Bearer token in the Authorization header of your HTTP request.
Example API Request
curl --request GET \\
--url <https://myapi.com/api> \\
--header 'authorization: Bearer {accessToken}' \\
--header 'content-type: application/json'
Refresh Tokens
If your application requires long-term access, you can use a Refresh Token to obtain new tokens without re-authenticating the user. Ensure your API and application are configured to support Refresh Tokens.
Example Refresh Token Request
curl --request POST \\
--url 'https://{yourDomain}/oauth/token' \\
--header 'content-type: application/x-www-form-urlencoded' \\
--data grant_type=refresh_token \\
--data 'client_id={yourClientId}' \\
--data 'refresh_token={yourRefreshToken}'
Response:
{
"access_token": "eyJ...MoQ",
"expires_in": 86400,
"scope": "openid offline_access",
"id_token": "eyJ...0NE",
"token_type": "Bearer"
}
Last updated
Was this helpful?