ORESTAPI oauth2 authorization






Request

ItemDescriptionNotes
endpoint/orestapi/oauth2/authorizationEndpoint for oauth2 authorization code grant authorization flow
http methodGET
Header
authorization

OAuth


Parametershttps://tools.ietf.org/html/rfc6749#section-4.1.1
response_type

REQUIRED

Value MUST be set to "code".

Always use "code", it is a static value

client_id

REQUIRED

The client (Confluence instance) identifier

Created and stored during application linking
redirect_uri

REQUIRED

x-www-form-urlencoded format

REDIRECT_URI must match the setting for the APPLICATION:

The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.

scope

REQUIRED

The scope of the access request


state

REQUIRED

The value is included when redirecting the user-agent back to the client

STATE is a control string that must be validated by the client




Response

ParentKeyValue TypeDescriptionNotes
-code

Generated by Odoo.

Must be included later in a token request LINK

Not reusable (can be used once)

REQUIRED. The authorization code generated by the authorization server.

The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.

If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.

The authorization code is bound to the client identifier and redirection URI.

-state

REQUIRED if the "state" parameter was present in the client authorization request.

The exact value received from the client in the request

The remote application should validate if state is same as it was sent