ORESTAPI oauth2 authorization
Resource owner (Odoo user) authorizes a Confluence application (client) to obtain access token.
We use "authorization code" type.
https://tools.ietf.org/html/rfc6749#section-3.1
Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.
Since requests to the authorization endpoint result in user authentication and the transmission of clear-text credentials (in the HTTP response), the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint.
The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.
Request
https://tools.ietf.org/html/rfc6749#section-4.1.1
The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format
curl -v -i -k -H "Authorization: OAuth" -X GET https://example.com/orestapi/oauth2/authorization?response_type=code&client_id=CLIENT_ID&redirect_uri=URI&scope=read&state=STATE
Item | Description | Notes |
---|---|---|
endpoint | /orestapi/oauth2/authorization | Endpoint for oauth2 authorization code grant authorization flow |
http method | GET | |
Header | ||
authorization | OAuth | |
Parameters | https://tools.ietf.org/html/rfc6749#section-4.1.1 | |
response_type | REQUIRED Value MUST be set to "code". | Always use "code", it is a static value |
client_id | REQUIRED The client (Confluence instance) identifier | Created and stored during application linking |
redirect_uri | REQUIRED x-www-form-urlencoded format | REDIRECT_URI must match the setting for the APPLICATION: The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component. |
scope | REQUIRED The scope of the access request | |
state | REQUIRED The value is included when redirecting the user-agent back to the client | STATE is a control string that must be validated by the client |
Response
https://tools.ietf.org/html/rfc6749#section-4.1.2
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format
{ "code": "fsfsdfsdsd" "state": "fesfmsdpofmd89222" }
Parent | Key | Value Type | Description | Notes |
---|---|---|---|---|
- | code | Generated by Odoo. Must be included later in a token request LINK Not reusable (can be used once) | REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. | |
- | state | REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client in the request | The remote application should validate if state is same as it was sent |