ЕСОЗ - публічна документація
RC Exchange oAuth Code Grant to Access Token
Purpose
This WS is designed to exchange authorization code with requested scopes to access token for user and client.
Key points
This method must be performed only on applications back-end.
Value of
client_secret
must not be exposed to applications front-end.
Specification
Validations
Validate grant type
Check
grant_type
field exists in request and is not nullin case of error - return 422 ('Request must include grant_type.')
Check
grant_type
field value equals to ‘authorization_code’in case of error - return 401 ('Grant type not allowed.')
Validate grant code
Check
code
field exists in request and is not nullin case of error - return 422 ('can't be blank')
Check grant code with value =
code
and name = ‘authorization_code’ exists in mithril database,tokens
tablein case of error - return 401 ('Token not found.')
Check grant code is not expired in mithril database,
tokens
table (expires_at
is in the future)in case of error - return 401 ('Token expired.')
Check grant code was not already used in mithril database,
tokens
table (details.used
<> true)in case of error - return 401 ('Token has already been used.')
Validate client
Check
client_id
and client_secret fields exist in request and are not emptyin case of error - return 422 ('can't be blank')
Check client is not blocked in mithril database,
tokens
table (is_blocked
<> true)in case of error - return 401 ('Client is blocked)
Check client from grant code equals to
client_id
in case of error - return 401 ('Token not found or expired.')
Check
client_secret
belongs to client through mithril database,connections
tablein case of error - return 401 ('Invalid client id or secret.')
Validate redirect uri
Check
redirect_uri
field exists in request and is not emptyin case of error - return 422 ('can't be blank')
Check
redirect_uri
in request equals to redirect uri in grant codein case error - return 401 ('The redirection URI provided does not match a pre-registered value.')
Check redirect uri belongs to client through mithril database,
connections
table usingclient_id
in case error - return 401 ('The redirection URI provided does not match a pre-registered value.')
Validate approvals
Check that approval for scopes list by
app_id
from grant code still exists in mithril database,apps
tablein case of error - return 401 ('Resource owner revoked access for the client.')
Service logic
Update grant code in mithril database,
tokens
table, set:details.used = true
updated_at = now()
Generate ‘access token’ with requested scopes for
user_id
andclient_id
based on value of ACCESS_TOKEN_JWT configuration parameter:true - generate token in JWT format according to Access tokens JWT format
false - generate token in existing format
Generate ‘refresh token’.
Save tokens that were generated in existing format to mithil database,
tokens
table, set:id = token uuid
name = token name (‘access_token’ or ‘refresh_token')
value = hased token
expires_at = date and time when token will be expired in unix-time format
details = additional details of token (scopes, client_id, grant_type, applicant_user_id, applicant_person_id, app_id)
applicant_user_id = value of
details.applicant_user_id
from grant code (if exists)applicant_person_id = value of
details.applicant_person_id
from grant code (if exists)app_id = uuid of approval between
user_id
,applicant_user_id
andclient_id
user_id = id of user
inserted_at = now()
updated_at = now()
Render a response according to specification.
ЕСОЗ - публічна документація