In the Implicit Flow, the application sends a user to Space via a link. After the user logs in to Space, Space redirects the user back to the application using the specified redirect URI. The redirect contains an access token for the application.
To enable the flow for an application, during the application registration, select the Implicit Flow checkbox. The redirect URIs should be specified in the Redirect URIs field.
If you use Space SDK in your application, you can implement the flow with the help of the
For more details on the flow, refer to Implicit flow specification.
To start the authentication process, the application should redirect the user's browser to the authentication endpoint
<Space service URL>/oauth/auth in the following format:
To obtain an access token from Space, your application needs to provide values for the following parameters in authorization requests:
|Specifies the grant type in an OAuth 2.0 request. Set value to |
|An identifier for the current application state. For example, it can be a key for a local storage object that contains information about the location of the current user in the application.|
|A URI in your application that can handle responses from Space. This must be one of the URIs specified during the application registration.|
A parameter that determines whether the user should be asked to log in. The following values are valid:
|The ID of the application as registered in Space. To get the client ID, go toand choose your application from the list.|
A space separated list of rights required to access specific resources in Space.
The rights are grouped in four categories: Global, Profile, Team, Project. Use the following syntax to specify the rights (shown here in BNF notation):
<SCOPE> ::= <ALL> | <TOKEN_LIST> <ALL> ::= '**' <TOKEN_LIST> ::= <TOKEN> (' ' <TOKEN&>)* <TOKEN> ::= <GLOBAL_PERMISSIONS_TOKEN> | <ENTITY_PERMISSIONS_TOKEN> <GLOBAL_PERMISSIONS_TOKEN> ::= <PERMISSIONS> <ENTITY_PERMISSIONS_TOKEN> ::= <ENTITY> ':' <PERMISSIONS> <ENTITY> ::= 'Team' | 'Project' | 'Profile' | 'etc.' <PERMISSIONS> ::= <ALL_PERMISSIONS> | <PERMISSION_LIST> <ALL_PERMISSIONS> ::= '*' <PERMISSION_LIST> ::= <PERMISSION> (',' <PERMISSION>)*
Wildcards are accepted. For global rights, category is omitted.
AddNewProfile,AddNewTeam Team:EditTeam Profile:EditAbsences,EditLanguages Project:*
The rights you specify in
The Client service should be able to handle responses from Space at the URL specified as
redirect_uri. Response parameters are passed after a hash sign in the URL. As a result, these parameters are not sent to the server and cannot be intercepted by a malefactor. If the resource owner grants the access request, Space issues an access token and delivers it to the application by adding the following parameters to the fragment component of the redirection URI using the
|access_token||The access token issued by Space.|
|token_type||The type of the token issued by Space. Value is case insensitive.|
|expires_in||The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.|
|scope||Optional, if identical to the scope requested by the application; otherwise, required. A space separated list of rights required to access specific resources in Space.|
|state||Required if the "state" parameter was included in the application authorization request. The exact value is received from the application.|
Handling error response
If the request fails due to a missing, invalid, or mismatching redirect URI, or if the application identifier is missing or invalid, the Space server informs the resource owner of the error and does not automatically redirect the browser to the invalid redirection URI.
If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the application by adding the following parameters to the fragment component of the redirect URI using the
A single ASCII [USASCII] error code from the following:
invalid_request— The authorization request to Space is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
redirect_URIof the service either is incorrect or missing.
access_denied— The resource owner or Space denied the request.
unsupported_response_type— The parameter
response_typeis either missing or has an invalid value.
invalid_scope— The parameter scope is missing, or the scope for which authorization is requested does not match permissions registered and authorized for the application.
- Human-readable ASCII [USASCII] text providing additional information, used to assist the application developer in understanding what went wrong.