Purpose

This WS is designed to authorize user's scopes. Requested scopes should be allowed for user role, client type and client's broker scopes

Request parameters

• access_token with scope "app:authorize" created for the user
• client_id
• redirect_uri
• scope

Validation

Validate token

extract user_id from token

• check user_id flag is blocked = false
  • in case error return 401

Validate client_id

• validate client flag is_blocked = false
  • in case error return 401, "Client is blocked."

Validate redirect uri

• check $.redirect_uri in (SELECT connections.redirect_uri from clients join connections on clients.id = connections.client_id where clients.id=$.client_id)
  • in case error return 401, "The redirection URI provided does not match a pre-registered value."

Validate scopes

• check if $.scope is not null
  • in case error return 422, "Requested scope is empty. Scope not passed or user has no roles or global roles."
• Extract user from token. Search for user roles. Check if $.scope in role.scope
  • in case error return 401, "Scope is not allowed by user role."
• Check if $.scope in $.client_id. client_type
  • in case error return 401, "Scope is not allowed by client type."

Response

• 201, in case authorization_code created
• 4XX in other cases