The 3-legged OAuth flow allows your application to obtain an access token by redirecting a user to Crisalix and having them authorize your application.
Generate a URL to request access from Crisalix's OAuth 2.0 endpoint at https://sso.crisalix.com/auth/authorize.
Parameters
| client_id | Required. The client ID for your application. |
| redirect_uri | Required. Determines where the API server redirects the user after the user completes the authorization flow. |
| response_type | Required. Determines whether the Crisalix OAuth 2.0 endpoint returns an authorization code. Set the parameter value to code for web server applications. |
| state | Recommended. Specifies any string value that your application uses to maintain state between your authorization request and the authorization server's response |
In this step, the user decides whether to grant your application the requested access. He will be asked to sign up or sign in on Crisalix if needed.
The OAuth 2.0 server responds to your application's access request by using the URL specified in the request.
If the user approves the access request, then the response contains an authorization code. If the user does not approve the request, the response contains an error message. The authorization code or error message that is returned to the web server appears on the query string, as shown below:
An error response:
https://oauth2.example.com/callback?error=access_denied
An authorization code response:
After the web server receives the authorization code, it can exchange the authorization code for an access token.
To exchange an authorization code for an access token, call the https://sso.crisalix.com/auth/token endpoint and set the following parameters:
| code | The authorization code returned from the initial request. |
| client_id | The client ID for your application. |
| client_secret | The client secret for your application. |
| redirect_uri | Redirect URIs listed for your project. |
The following snippet shows a sample response:
{
:uid=>1,
:access_token=>"62e8bd54518215dda1d2b76b52424dc4",
:player_token=>"4cd42425b67b2d1add51281545db8e26",
:refresh_token=>"f3c6b63af086026a76fe5685b23c5847",
:expires_in=>86400
}
Note: The player_token doesn't expire but it changes everytime a user signs in. You can not include the player with the access_token. This is only for requesting the API.
Access tokens periodically expire. You can refresh an access token without prompting the user for permission (including when the user is not present) if you requested offline access to the scopes associated with the token.
To refresh the access token, call the https://sso.crisalix.com/auth/token endpoint and set the following parameters:
| refresh_token | The refresh token returned from the authorization code exchange. |
| client_id | The client ID for your application. |
| client_secret | The client secret for your application. |
| grant_type | As defined in the OAuth 2.0 specification, this field must contain a value of refresh_token. |
To revoke a token, your application makes a request to https://sso.crisalix.com/auth/revoke and set the following parameters:
| refresh_token | The refresh token returned from the authorization code exchange. |
| client_id | The client ID for your application. |
| client_secret | The client secret for your application. |