Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


apiary
Post/oauth/apps/authorize

Purpose

This WS is designed to authorize user's scopes. Requested scopes should be allowed for user role, client type and client's broker scopes

Request parameters

  • access_token with scope "app:authorize" created for the user
  • client_id
  • redirect_uri
  • scope

Validation

Validate token

extract user_id from token

  • check user_id flag is blocked = false
    • in case error return 401

Validate client_id

  • validate client flag is_blocked = false
    • in case error return 401, "Client is blocked."

Validate redirect uri

  • check $.redirect_uri in (SELECT connections.redirect_uri from clients join connections on clients.id = connections.client_id where clients.id=$.client_id)
    • in case error return 401, "The redirection URI provided does not match a pre-registered value."

Validate scopes

  • check if $.scope is not null
    • in case error return 422, "Requested scope is empty. Scope not passed or user has no roles or global roles."
  • Extract user from token. Search for user roles. Check if $.scope in role.scope
    • in case error return 401, "Scope is not allowed by user role."
  • Check if $.scope in $.client_id. client_type
    • in case error return 401, "Scope is not allowed by client type."

Response

  • 201, in case authorization_code created
  • 4XX in other cases

...