Token retrieval via the OAuth protocol
Prerequisite
Any client
willing to use the OAuth protocol to perform operations on behalf of its users has to register his application on Mobilic API beforehand.
To do so, the client has to send an email at mobilic@beta.gouv.fr, mentioning the following informations :
requested environment (sandbox or production)
application name
redirect URLS list
Therefore, the client
will receive a client_id
and a client_secret,
allowing the use of the OAuth2 module.
Protocol
OAuth2 protocol allows applications (client
) used by road transportation companies to perform operations on Mobilic API (resource server
) on behalf of their users (resource owner
).
Practically speaking, OAuth method allows applications to retrieve access tokens on behalf on users, without knowing their passwords.
This page describes the procedure as it comes to implement the OAuth protocol and is written by Mobilic. It is not intended to cover all the details of the protocol itself. Many great resources regarding the protocol already exist online.
There are several OAuth protocols allowing a client
to retrieve an access token.
Mobilic implement "Authorization Code Grant", detailed here and in this diagram :
Here is the two entry points exposed by Mobilic:
for production environment
Authorization URL: https://mobilic.beta.gouv.fr/oauth/authorize
Token URL: https://mobilic.beta.gouv.fr/api/oauth/token
for sandbox environment
Authorization URL: https://sandbox.mobilic.beta.gouv.fr/oauth/authorize
A. User redirection to the Mobilic authorization URL
The client
starts the procedure by redirecting the user browser (or by opening a browser if the client application is not a web application) to Mobilic authorization URL.
The URL query string must contain the following items (cf https://tools.ietf.org/html/rfc6749#section-4.1.1):
client_id
: client ID provided by Mobilic APIresponse_type
: the valuecode
redirect_uri
: the chosen redirect URL
Example : https://mobilic.beta.gouv.fr/oauth/authorize?response_type=code&client_id=XXX&redirect_uri=http%3A%2F%2Fclient%2Eexample%2Ecom%2Fcallback
B. User authentification and explicit consent
Mobilic redirects the user to the authentification page (if not logged in) and then to the consent page.
The user (resource owner
) has the choice to accept or deny the client
access request:
C. Redirection to the client application with an authorization code
In the case where the user granted access, the browser is redirected to the redirect URL specified in the authorization request.
The redirect URL query string will contain an authorization code which stays valid 5 minutes.
Example : https://client.example.com/callback?code=XXX
.
D. Request an access token in exchange for the authorization code
The client
requests an access token with a POST
request on the token URL.
The request must contain the following arguments, with the format application/x-www-form-urlencoded
:
grant_type=authorization_code
code
, the authorization coderedirect_uri
, redirect URL mentioned in the authorization request.
The request must also be authenticated with the client IDs. This can be done in two ways:
adding the
client_id
and theclient_secret
as additional arguments in thePOST
requestadding the
client_id
and theclient_secret
in the header of the request with the basic method.
Example :
E. Access token retrieval
If the POST
request to the token URL is valid, the response will contain an access token. More precisely, a JSON response with the following structure:
On the contrary, if the request fails, the JSON response will get the following structure:
Last updated