Authorization Code Flow
Authorization Code Flow is used to request OAuth tokens when your application wants to interact with data on behalf of a user. This flow is required if you are interacting with other companies' data. We recommend using an SDK, such as the oidc library when implementing this flow.
For this flow, HCSS will provide 2 pieces of information:
client_id, and one or more scopes. In addition, you will need to provide HCSS with a
redirect_uri, which is the URI where our servers will redirect the user if they consent to sharing their data with your application.
First, direct the user to the authorize endpoint of our Identity API. For example,
client_id is provided by HCSS. The
scope parameter is a space-separated string of scopes that HCSS provides as well. The user will be presented with a consent page, informing them of the scopes that your application is requesting. If the user consents, your application will get a callback at the
redirect_uri that you specified. For example, if your
https://hcss.com/redirect, the callback will look like:
code is an authorization code that you will exchange for an
access_token. You should verify that the
state parameter is the same value that you sent to the
/authorize endpoint. This protects against CSRF attacks.
Here is an example request that exchanges the
code for an
access_token, using cURL:
curl --request POST
--header 'Content-Type: application/x-www-form-urlencoded'
If the request was successful, you will receive an
access_token and can now make an API call on behalf of the user!
For a more detailed overview of authorization code flow, check out the docs on auth0.