JetBrains Space EAP Help

Implicit Flow

To use implicit authorization flow, your client application must be publicly available over the internet. Such applications are usually written in JavaScript and run in a web browser.

The client should be registered with Space as JavaScript Web App

Initial request

To start the authentication process, the client should redirect the user's browser to the authentication endpoint <Space service URL>/oauth/auth in the following format:

${Space Service URL}/oauth/auth?response_type=token&state=${State}&redirect_uri=${Client redirect URI}&request_credentials=${Request credentials mode}&client_id=${Client service ID}&scope=${Scope}

For example:

https://mycompany.jetbrains.space/oauth/auth?response_type=token&state=9b8fdea0-fc3a-410c-9577-5dee1ae028da&redirect_uri=https%3A%2F%2Fmyservice.company.com%2Fauthorized&request_credentials=skip&client_id=98071167-004c-4ddf-ba37-5d4599fdf319&scope=0-0-0-0-0%2098071167-004c-4ddf-ba37-5d4599fdf319

To obtain an access token from Space, your client needs to provide values for the following parameters in authorization requests:

ParameterDescription
response_typeSpecifies the grant type in an OAuth 2.0 request. Set value to token.
stateAn identifier for the current application state. For example, it can be a key for a local storage object that contains information about the location of the current user in the client application.
redirect_uriA URI in your client application that can handle responses from Space.
request_credentials

A parameter that determines whether the user should be asked to log in. The following values are valid:

  • skip— use when the client application allows anonymous access.

    • If the user is already logged in to Space, the user is granted access to the client application.

    • If the user is not logged in to Space and the guest account is not banned, the user is granted access to the client application as a guest.

    • If the user is not logged in to Space and the guest account is banned, the user is redirected to the login page.

  • silent— same as skip, but redirects the user to the client application in all cases. If the guest account is banned, the user is redirected to the client application with an authentication error.

  • required— logs the user out of Space and redirects them to the login page. Use as a response to a logout request in the client application.

  • default— use when the client application does not allow anonymous access.

    • If the user is already logged in to Space, the user is granted access to the client application.

    • If the user is not logged in to Space, the user is redirected to the login page.

client_idThe ID of the client application as registered in Space. To get the client ID, go to administration.png Administration → Applications and choose your client from the list.
scope

A space separated list of rights required to access specific resources in Space.

The rights are grouped in four categories: Global, Profile, Team, Project. Use the following syntax to specify the rights (shown here in BNF notation):

<SCOPE> ::= <ALL> | <TOKEN_LIST> <ALL> ::= '**' <TOKEN_LIST> ::= <TOKEN> (' ' <TOKEN&>)* <TOKEN> ::= <GLOBAL_PERMISSIONS_TOKEN> | <ENTITY_PERMISSIONS_TOKEN> <GLOBAL_PERMISSIONS_TOKEN> ::= <PERMISSIONS> <ENTITY_PERMISSIONS_TOKEN> ::= <ENTITY> ':' <PERMISSIONS> <ENTITY> ::= 'Team' | 'Project' | 'Profile' | 'etc.' <PERMISSIONS> ::= <ALL_PERMISSIONS> | <PERMISSION_LIST> <ALL_PERMISSIONS> ::= '*' <PERMISSION_LIST> ::= <PERMISSION> (',' <PERMISSION>)*

Wildcards are accepted. For global rights, category is omitted.

Example:

AddNewProfile,AddNewTeam Team:EditTeam Profile:EditAbsences,EditLanguages Project:*

The rights you specify in scope should be first added to the list of requested rights and authorized for your client in Space.

Handling response

The Client service should be able to handle responses from Space at the URL specified as redirect_uri. Response parameters are passed after a hash sign in the URL. As a result, these parameters are not sent to the server and cannot be intercepted by a malefactor. If the resource owner grants the access request, Space issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format:

ParameterDescription
access_tokenThe access token issued by Space.
token_type The type of the token issued by Space. Value is case insensitive.
expires_inThe lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
scopeOptional, if identical to the scope requested by the client; otherwise, required. A space separated list of rights required to access specific resources in Space.
stateRequired if the "state" parameter was included in the client authorization request. The exact value is received from the client.

Handling error response

If the request fails due to a missing, invalid, or mismatching redirect URI, or if the client identifier is missing or invalid, the Space server informs the resource owner of the error and does not automatically redirect the browser to the invalid redirection URI.

If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the fragment component of the redirect URI using the application/x-www-form-urlencoded format:

error

A single ASCII [USASCII] error code from the following:

  • invalid_request— The authorization request to Space is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.

  • unauthorized_client— The redirect_URI of the service either is incorrect or missing.

  • access_denied— The resource owner or Space denied the request.

  • unsupported_response_type— The parameter response_type is either missing or has an invalid value.

  • invalid_scope— The parameter scope is missing, or the scope for which authorization is requested does not match permissions registered and authorized for the client.

error_description
Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding what went wrong.
Last modified: 18 November 2020