/
NUTRINTG Authorization Flow for CDS Russia

NUTRINTG Authorization Flow for CDS Russia

Owned by Sebastian Baltruszewicz
Aug 16, 2023
3 min read

CDS supports Authorization Code Grant OAuth2 flow.

General Info

In the supported flow, a client must acquire a short-living authorization code and then exchange it for a token package, consisting of access token, refresh token and metadata. Therefore, the following steps must be taken:

  1. Get authorization code.

  2. Get a token package in exchange for authorization code.

  3. Refresh a token package later using a refresh token if needed.

Get Authorization Code

POST /oauth/authorize HTTP/1.1 Host: {host} Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Authorization: Basic {base64EncodedTrustedUserCredentials} response_type=code&client_id={clientId}&scope={scope}&redirect_uri={redirectUri}&state={state}

where:

  • {host} - depends on the environment, https://digital-security-authservice.dev.moscow.rbdigitalcloud.com or https://digital-security-authservice.prod.moscow.rbdigitalcloud.com

  • {base64EncodedTrustedUserCredentials} - colon-separated string of trustedUserId:trustedUserSecret encoded into Base 64. It is recommended to encode using local tools or code snippets instead of online tools, since the data may be left on online tool servers. Therefore, credentials may become exposed.

  • {clientId} - name of a client provided by CDD team.

  • {scope} - set of whitespace-separated permissions, e.g. SAVE_DATA READ_DATA. A client must have these permissions assigned.

  • {redirectUri} - in most cases does not matter, since there is no such situation when an end-user is redirected to our login form and then needs to be redirected back.

  • {state} - random state string.

 

If a request is valid, there should be a response with status 302.

HTTP/1.1 302 Found location: {redirectUri}?code={authorizationCode}&state={state}

where:

  • {redirectUri} - the one provided in the request.

  • {authorizationCode} - can be exchanged for a token.

  • {state} - the one provided in the request.

Therefore, it is important to note what is an authorization code returned from the server. It lives for a very short time (around 15 seconds), so it should be quickly exchanged for a token.

Get Token

POST /oauth/token HTTP/1.1 Host: {host} Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Authorization: Basic {base64EncodedClientCredentials} grant_type=authorization_code&redirect_uri={redirectUri}&client_id={clientId}&code={authorizationCode}&state={state}

where:

  • {host} - depends on the environment, https://digital-security-authservice.dev.moscow.rbdigitalcloud.com or https://digital-security-authservice.prod.moscow.rbdigitalcloud.com

  • {base64EncodedClientCredentials} - colon-separated string of clientId:clientSecret encoded into Base 64. It is recommended to encode using local tools or code snippets instead of online tools, since the data may be left on online tool servers. Therefore, credentials may become exposed.

  • {clientId} - name of a client provided by CDD team.

  • {authorizationCode} - authorization code acquired via authorization code request.

  • {redirectUri} - in most cases does not matter, since there is no such situation when an end-user is redirected to our login form and then needs to be redirected back.

  • {state} - state string, same as in authorization code request.

 

If a request is valid, there should be a response with status 200. Token lives for one hour according to the current configuration.

Refresh Token

where:

 

If a request is valid, there should be a response with status 200 with a new access token and new refresh token.