Developer / REST API v1

OAuth - Web Application Flow

babylon-projekt/developer articles

How to authorize users to your OAuth App.

The flow to authorize users for your app is:

  1. Users are redirected to request their babili identity
  2. Users are redirected back to your site by babili
  3. Your app accesses the API with the user's access token with the specific scopes defined.

1. Users are redirected to request their babili identity

GET http://babili.toboter.de/oauth/authorize

Params:
client_id string The client_id issued on application creation on babili.
scope string A space-delimited list of scopes. If not provided, scope defaults to an empty list (internally public).
redirect_uri string
response_type set to code

2. Users are redirected back to your site by babili

If the user accepts your request, babili redirects back to your site with a temporary code in a code parameter.

Exchange this code for an access token:

POST http://babili.toboter.de/oauth/token

Params:
client_id string The client_id issued on application creation on babili.
client_secret string The client_secret issued on application creation on babili.
code string the returned code from step 1.
grant_type set to authorization_code
redirect_uri string The URL in your application where users are sent after authorization.

Response

By default, the response takes the following form:

access_token=6039d4aa3df371e4d586ec1df6068776a3051199690c98898af3b244c356aa61&token_type=bearer

You can also receive the content in different formats depending on the Accept header:

Accept: application/json
{"access_token":"6039d4aa3df371e4d586ec1df6068776a3051199690c98898af3b244c356aa61", "scope":"public", "token_type":"bearer"}

Accept: application/xml
<OAuth>
  <token_type>bearer</token_type>
  <scope>public</scope>
  <access_token>6039d4aa3df371e4d586ec1df6068776a3051199690c98898af3b244c356aa61</access_token>
</OAuth>

3. Use the access token to access the API

The access token allows you to make requests to the API on a behalf of a user.

GET http://babili.toboter.de/api/user?access_token=...

You can pass the token in the query params as shown above, but a cleaner approach is to include it in the Authorization header.

Authorization: token OAUTH-TOKEN

For example, in curl you can set the Authorization header like this:

curl -H "Authorization: token OAUTH-TOKEN" http://babili.toboter.de/api/user