Table of Contents |
---|
Purpose
This WS is designed to exchange authorization code with requested scopes to access token for user and client.
Key points
This method must be performed only on applications back-end.
Value of
client_secret
must not be exposed to applications front-end.
Specification
Validations
Validate grant type
Check
grant_type
field exists in request and is not nullin case of error - return 422 ('Request must include grant_type.')
Check
grant_type
field value equals to ‘authorization_code’in case of error - return 401 ('Grant type not allowed.')
Validate grant code
Check
code
field exists in request and is not nullin case of error - return 422 ('can't be blank')
Check grant code with value =
code
and name = ‘authorization_code’ exists in mithril database,tokens
tablein case of error - return 401 ('Token not found.')
Check grant code is not expired in mithril database,
tokens
table (expires_at
is in the future)in case of error - return 401 ('Token expired.')
Check grant code was not already used in mithril database,
tokens
table (details.used
<> true)in case of error - return 401 ('Token has already been used.')
Validate client
Check
client_id
and client_secret fields exist in request and are not emptyin case of error - return 422 ('can't be blank')
Check client is not blocked in mithril database,
tokens
table (is_blocked
<> true)in case of error - return 401 ('Client is blocked)
Check client from grant code equals to
client_id
in case of error - return 401 ('Token not found or expired.')
Check
client_secret
belongs to client through mithril database,connections
tablein case of error - return 401 ('Invalid client id or secret.')
Validate redirect uri
Check
redirect_uri
field exists in request and is not emptyin case of error - return 422 ('can't be blank')
Check
redirect_uri
in request equals to redirect uri in grant codein case error - return 401 ('The redirection URI provided does not match a pre-registered value.')
Check redirect uri belongs to client through mithril database,
connections
table usingclient_id
in case error - return 401 ('The redirection URI provided does not match a pre-registered value.')
Validate approvals
Check that approval for scopes list by
app_id
from grant code still exists in mithril database,apps
tablein case of error - return 401 ('Resource owner revoked access for the client.')
Service logic
Update grant code in mithril database,
tokens
table, set:details.used = true
updated_at = now()
Generate ‘access token’ with requested scopes for
user_id
andclient_id
based on value of ACCESS_TOKEN_JWT configuration parameter:true - generate token in JWT format according to /wiki/spaces/PCAB/pages/17426219114
false - generate token in existing format
Generate ‘refresh token’.
Save tokens that were generated in existing format to mithil database,
tokens
table, set:id = token uuid
name = token name (‘access_token’ or ‘refresh_token')
value = hased token
expires_at = date and time when token will be expired in unix-time format
details = additional details of token (scopes, client_id, grant_type, applicant_user_id, applicant_person_id, app_id)
applicant_user_id = value of
details.applicant_user_id
from grant code (if exists)applicant_person_id = value of
details.applicant_person_id
from grant code (if exists)app_id = uuid of approval between
user_id
,applicant_user_id
andclient_id
user_id = id of user
inserted_at = now()
updated_at = now()
Render a response according to specification.