Authorization

The first request in the OAuth process when the client requests for authorization code

After approval Client will be given with client_id and client_secret.

This is the first request in the OAuth process when the client requests for authorization code by redirecting to the following URL:

{OAUTH_URL}/v1/oauth/authorize?client_id=07d60911ce2a37239becf5d90811324a&response_type=code&redirect_uri={client_redirect_url}&scope={requested_scopes}&state={client_state}

Parameters

Parameters	Description
client_id*	This is the client_id value that you received upon registration.
response_type*	Although Oauth supports different response_type values. The only value supported by Xoxoday is code
redirect_uri*	The URL domain must match to url which you have shared in the registration STEP 1.
scope*	The scope values must be the values mentioned as below. If there are multiple scopes send them separated by commas. For eg. profile_read,points_read,feed_manage. If the authorization request is for company session generation then user_session scope is compulsory.
state	As per Oauth protocol, this value is optional. This value is generated by the client. When the authorization request is completed the same value is passed to the client in the redirected URL so that client can verify the request.

Scopes :

Company Scopes

user_session (Used only for the case of Company access_token generation)

company_session

Oauth URL For:

Development - https://stagingaccount.xoxoday.com/chef

Production - https://accounts.xoxoday.com/chef

Sucess

If all the above parameters are validated successfully and user is already authenticated, then the user is redirected to following authorization consent page.

Failure

If the user is not authenticated, then the user will be redirected to the following login/signup page.

After authentication, the user will again be redirected to the authorization consent(allow/deny) page.

Allow

If the user allowed the request then the browser will be redirected to the following URL:

{client_redirect_url}?code=exxxx69660xxxxa6413c17d897xxxxx99&state={client_state}

Deny

If the user is denied access then the browser will be redirected to the following URL:

{client_redirect_url}?error=access_denied&error_description=The+user+denied+the+request&state={client_state}

In the above-redirected URL, code is a temporary token created on account of client allowed access which is valid for 5 min duration. Later this code is exchanged for access_token which is used for accessing xoxoday resources granted based on the scopes allowed by the user.