Client-Side Web Applications - Implicit Grant
In order to access our API from client-side web applications, such as a Single Page Application, you’ll need to implement the Implicit Grant OAuth2 flow.
This authorization flow is a one-step process:
- Request an access token
1. Authorize the user
Redirect the user to the /authorize endpoint. The user will authenticate and grant your application access for the requested scopes
https://auth.homelyfe.com/authorize?
audience=API_IDENTIFIER&
scope=SCOPE&
response_type=token&
client_id=CLIENT_ID&
redirect_uri=REDIRECT_URI&
nonce=NONCE&
state=STATE
Request Parameters
| Parameter | Value |
|---|---|
| audience | The API you are requesting access for (API Base URL) |
| scope | The scopes that you want to request authorization for. Each scope must be separated by a space. |
| response_type | token |
| client_id | Your application’s Client ID (provided by Aventus when you registered your application) |
| redirect_uri | The redirect_uri of your application, where authentication responses will be sent to. The redirect uri must exactly match one of the callback URLs provided when registering your application |
| nonce | A string token which will be included in the ID token response, this is used to prevent token replay attacks |
| state | A randomly generated unique value included in the request that is also returned in the token response, this is used to prevent cross-site request forgery attacks. |
Response
At this point, the user is asked to enter their credentials and consent to the scopes requested by your application. After the user has granted consent to your application, Aventus sends a response to the redirect_uri with the access_token in the hash fragment.
https://REDIRECT_URI#access_token=TOKEN&state=STATE&token_type=TOKEN_TYPE&expires_in=EXPIRES_IN
| Parameter | Description |
|---|---|
| access_token | The requested access token as a signed JSON Web Token (JWT). Your application can use this token to access the Aventus Platform API. |
| state | The state parameter sent in the response should be the same value sent in the request. It is good practice to verify that the state values in the request and response are identical. |
| token_type | Indicates the token type. The only token type supported by the Aventus Platform is Bearer |
| expires_in | How long the access token is valid (in seconds) |
Updated almost 6 years ago