Hybrid Flow: Obtaining of an Authorization Code, Access Token, and ID Token from the Authorization Endpoint
To obtain an authorization code, ID token, and access token from the authorization endpoint,
the client application connects to the authorization endpoint of MYOB Acumatica
with the GET
HTTP method and specifies the parameters of the request in the
URL. For details on the request and the response, see the following sections.
HTTP Method and URL
The client application connects to the authorization endpoint of MYOB Acumatica
with the GET
method. The client application can use one of the following
approaches for the URL:
- If the client application supports OpenID Connect
Discovery, the client application can use the discovery endpoint address, as shown in
the following code.
https://<MYOB Acumatica instance URL>/identity/.well-known/openid-configuration
Note:We recommend that the client application use the discovery endpoint address, which eliminates the need to change the application if the target endpoint address changes. - The client application can directly use the
authorization endpoint address, which is shown in the following code.
https://<MYOB Acumatica instance URL>/identity/connect/authorize
Parameters
Parameter | Description |
---|---|
response_type | The type of the response, which can be one of the following:
|
client_id |
The client ID that was assigned to the client application during the registration of the application in MYOB Acumatica. The client ID must have the format in which the ID was generated during the registration of the application. That is, the client ID must include an auto-generated string and the ID of the tenant, such as 88358B02-A48D-A50E-F710-39C1636C30F6@MyTenant. The client application will have access to the data of the tenant specified in the client ID. |
redirect_uri |
The URI in the client application to which the response to the request should be sent. The URI must exactly match one of the values specified for the application in the Redirect URI column on the Redirect URIs tab of the Connected Applications (SM303010) form. |
response_mode | The way the system sends the request to the redirect URI in response for the
authorization request. The response mode can be one of the following:
|
scope |
The access scope that is requested by the client application. The scope can be a combination of the following values, delimited by spaces:
|
nonce | A string value that is used to associate a client session with an ID token. |
Response
If the user is successfully signed in to MYOB Acumatica
and has granted access, a response is sent to the redirect URI specified in the authorization
request. The response_mode
parameter of the authorization request defines the
way the request is sent. The response includes the following parameters.
Parameter | Description |
---|---|
code | The authorization code. |
id_token |
The ID token associated with the authenticated session. The ID token contains three parts, which are separated by periods. The parts are Base64 encoded. The second part contains the claims to which the user granted access. For details on the ID token structure, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken and https://www.rfc-editor.org/rfc/rfc7519.html. We recommend that you use the existing standard libraries for parsing the tokens. The parameter is returned only if the openid scope was granted. |
scope |
The scope for which the access token and ID token are provided. The returning of this parameter is optional. |
access_token |
The access token. The parameter is returned only if the api scope was granted. |
token_type |
The type of the access token, which is Bearer. The parameter is returned only if the api scope was granted. |
expires_in |
The period of time (in seconds) during which the access token is valid. The parameter is returned only if the api scope was granted. |
Example: openid and email Scopes
The following example requests the openid and email scopes. (Line breaks are for display purposes only.)
GET https://localhost/AcumaticaDB/identity/connect/authorize?
response_type=code id_token
&client_id=58FCCFBD-0CF3-C047-B720-A631C976A8DD@U100
&redirect_uri=https://localhost
&scope=openid email
&response_mode=fragment
&nonce=test
Once the user grants access to the requested scopes, MYOB Acumatica redirects the client application to the following URL.
https://localhost/#
code=fXatQXiNwxDc3YSy7Agjz_fKAJBUVN2UmpqTMLtVidY
&id_token=eyJ...gzw
&scope=openid%20email
Example: openid, email, profile, and api Scopes
GET https://localhost/AcumaticaDB/identity/connect/authorize?
response_type=code id_token token
&client_id=58FCCFBD-0CF3-C047-B720-A631C976A8DD@U100
&redirect_uri=https://localhost
&scope=openid email profile api
&response_mode=fragment
&nonce=test
Once the user grants access to the requested scopes, MYOB Acumatica redirects the client application to the following URL.
https://localhost/#
code=Xa8dL8wAL23PmZEdoCBzTDJyj46_NPx_pplzlf-tFas
&id_token=eyJ...EMo
&token_type=Bearer
&expires_in=3600
&scope=openid%20email%20profile%20api