Implicit Flow

Basics

Authorization on behalf of a SpaceCode user.
Suitable for JavaScript applications that run in a web browser.
In the Implicit Flow, the application sends a user to SpaceCode via a link. After the user logs in to SpaceCode, SpaceCode redirects the user back to the application using the specified redirect URI. The redirect contains an access token for the application.
For more details on the flow, refer to Implicit flow specification.

How to implement

To implement the implicit flow, use the SpaceCodeHttpClient().withCallContext() method.

Initial request

To start the authentication process, the application should redirect the user's browser to the authentication endpoint <SpaceCode service URL>/oauth/auth in the following format:

            
${SpaceCode Service URL}/oauth/auth?response_type=token&state=${State}&redirect_uri=${Client redirect URI}&request_credentials=${Request credentials mode}&client_id=${Client service ID}&scope=${Scope}

For example:

            
https://mycompany.jetbrains.space/oauth/auth?response_type=token&state=9b8fdea0-fc3a-410c-9577-5dee1ae028da&redirect_uri=https%3A%2F%2Fmyservice.company.com%2Fauthorized&request_credentials=skip&client_id=98071167-004c-4ddf-ba37-5d4599fdf319&scope=0-0-0-0-0%2098071167-004c-4ddf-ba37-5d4599fdf319

To obtain an access token from SpaceCode, your application needs to provide values for the following parameters in authorization requests:

response_type

Specifies the grant type in an OAuth 2.0 request. Set value to token.

state

An identifier for the current application state. For example, it can be a key for a local storage object that contains information about the location of the current user in the application.

redirect_uri

A URI in your application that can handle responses from SpaceCode. This must be one of the URIs specified during the application registration.

request_credentials

A parameter that determines whether the user should be asked to log in. The following values are valid:

skip — use when the application allows anonymous access.
- If the user is already logged in to SpaceCode, the user is granted access to the application.
- If the user is not logged in to SpaceCode and the guest account is not banned, the user is granted access to the application as a guest.
- If the user is not logged in to SpaceCode and the guest account is banned, the user is redirected to the login page.
silent — same as skip, but redirects the user to the application in all cases. If the guest account is banned, the user is redirected to the application with an authentication error.
required — logs the user out of SpaceCode and redirects them to the login page. Use as a response to a logout request in the application.
default — use when the application does not allow anonymous access.
- If the user is already logged in to SpaceCode, the user is granted access to the application.
- If the user is not logged in to SpaceCode, the user is redirected to the login page.

client_id

The ID of the application as registered in SpaceCode. To get the client ID, go to Administration → Applications and choose your application from the list.

scope

A space separated list of rights required to access specific resources in SpaceCode.

Learn more about permission scope format.

Handle response

The Client service should be able to handle responses from SpaceCode at the URL specified as redirect_uri. Response parameters are passed after a hash sign in the URL. As a result, these parameters are not sent to the server and cannot be intercepted by a malefactor. If the resource owner grants the access request, SpaceCode issues an access token and delivers it to the application by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format:

Parameter	Description
access_token	The access token issued by SpaceCode.
token_type	The type of the token issued by SpaceCode. Value is case insensitive.
expires_in	The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
scope	Optional, if identical to the scope requested by the application; otherwise, required. A space separated list of rights required to access specific resources in SpaceCode.
state	Required if the "state" parameter was included in the application authorization request. The exact value is received from the application.

Handle error response

If the request fails due to a missing, invalid, or mismatching redirect URI, or if the application identifier is missing or invalid, the SpaceCode server informs the resource owner of the error and does not automatically redirect the browser to the invalid redirection URI.

If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the application by adding the following parameters to the fragment component of the redirect URI using the application/x-www-form-urlencoded format:

error

A single ASCII [USASCII] error code from the following:

invalid_request — The authorization request to SpaceCode is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
unauthorized_client — The redirect_URI of the service either is incorrect or missing.
access_denied — The resource owner or SpaceCode denied the request.
unsupported_response_type — The parameter response_type is either missing or has an invalid value.
invalid_scope — The parameter scope is missing, or the scope for which authorization is requested does not match permissions registered and authorized for the application.

error_description

Human-readable ASCII [USASCII] text providing additional information, used to assist the application developer in understanding what went wrong.

Last modified: 18 April 2024