Get user access token
Prerequisites
- An OAuth 2.0 client.
Use a library
WARNING
We do not recommend implementing this flow manually. There are good OAuth 2.0 libraries for all common languages.
Resources
- Auth0 description of how the authorization code flow works auth0.com/docs/flows/authorization-code-flowopen in new window
SDK
Java/Kotlin
See: github.com/working-group-two/wgtwo-authopen in new window
Setup
val wgtwoAuth = WgtwoAuth.builder(clientId, clientSecret)
.callbackUri("https://example.com/callback")
.build()
2
3
Create authorization URL
val scope = "phone offline_access"
val nonce = "my-nonce"
val state = "my-state"
val authorizationUrl = wgtwoAuth.authorizationCode.authorizationUrl(scope, nonce, state, Prompt.DEFAULT)
2
3
4
Exchange authorization code for access and refresh token
val token: Token = wgtwoAuth.authorizationCode.fetchToken("{CODE FROM THE CALLBACK URI}")
val accessToken: String = token.accessToken
// Fields from ID token:
val nonce = token.metadata.nonce
val phone = token.metadata.phone
2
3
4
5
6
Refresh token
val token: Token = wgtwoAuth.authorizationCode.refreshToken("{REFRESH TOKEN}")
Manually run the OAuth flow
Open link in browser
To start the flow open the following link in your browser
https://id.wgtwo.com/oauth2/auth?response_type=code&scope=phone offline_access&client_id=${CLIENT_ID}&redirect_uri=https://example.com/callback&state=this-is-a-key-set-by-the-caller
This should take you to our login page, where you will be sent a SMS with a PIN code. After completing the login flow, you will be asked to grant the requested access to the product.
The scopes here will allow you to get the real phone number of the user and to obtain a refresh token.
The browser will then redirect back to the set redirect URI. In our case, this will be similar to this:
https://example.com/callback?code=some-random-code-generated-by-the-oauth-flow&scope=phone%20offline_access&state=this-is-a-key-set-by-the-caller
Exchange authorization code for access and refresh token
As we are using the authorization code grant, there will be a server side call to exchange this code with the access and refresh tokens.
curl \
-u ${CLIENT_ID}:${CLIENT_SECRET} \
--url 'https://id.wgtwo.com/oauth2/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data code="{CODE FROM THE CALLBACK URI}" \
--data 'redirect_uri=https://example.com/callback'
2
3
4
5
6
7
{
"access_token": "<<redacted>>",
"expires_in": 3600,
"refresh_token": "<<redacted>>",
"scope": "phone offline_access",
"token_type": "bearer"
}
2
3
4
5
6
7
Use access token to get user info
export ACCESS_TOKEN="<<redacted>>"
curl -H "Authorization: Bearer $ACCESS_TOKEN" https://id.wgtwo.com/userinfo
2
{
"phone_number":"+46123456789",
"phone_number_verified":true,
"sid":"42e(...)sff",
"sub":"73e(...)dfc"
}
2
3
4
5
6