Authorization Code Flow

Authorization Code Flow is used to request OAuth tokens when your application wants to interact with data on behalf of a user.  This flow is required if you are interacting with other companies' data.  We recommend using an SDK, such as the oidc library when implementing this flow.

For this flow, HCSS will provide 2 pieces of information: client_id, and one or more scopes.  In addition, you will need to provide HCSS with a redirect_uri, which is the URI where our servers will redirect the user if they consent to sharing their data with your application.

First, direct the user to the authorize endpoint of our Identity API.  For example,

https://api.hcssapps.com/identity/connect/authorize
    ?client_id=YOUR_CLIENT_ID
    &scope=YOUR_SCOPE
    &response_type=code
    &redirect_uri=YOUR_REDIRECT_URI
    &state=YOUR_OPAQUE_VALUE

The client_id is provided by HCSS.  The scope parameter is a space-separated string of scopes that HCSS provides as well.  The user will be presented with a consent page, informing them of the scopes that your application is requesting.  If the user consents, your application will get a callback at the redirect_uri that you specified.  For example, if your redirect_uri is https://hcss.com/redirect, the callback will look like:

https://hcss.com/redirect
    ?code=g0ZGZmN
    &state=YOUR_OPAQUE_VALUE

The code is an authorization code that you will exchange for an access_token.  You should verify that the state parameter is the same value that you sent to the /authorize endpoint.  This protects against CSRF attacks.

Here is an example request that exchanges the code for an access_token, using cURL:

curl --request POST
    --url 'https://api.hcssapps.com/identity/connect/token'
    --header 'Content-Type: application/x-www-form-urlencoded'
    --data-urlencode 'grant_type=authorization_code'   
    --data-urlencode 'client_id=YOUR_CLIENT_ID'
    --data-urlencode 'code=g0ZGZmN'
    --data-urlencode 'redirect_uri=YOUR_REDIRECT_URI

If the request was successful, you will receive an access_token and can now make an API call on behalf of the user!

For a more detailed overview of authorization code flow, check out the docs on auth0.