Authorization Code GrantIf your client needs to obtain authorization from an existing PKB user in order to interact with the PKB APIs on behalf of that user, then you need to use the Authorization Code Grant workflow. An example of that scenario would be a mobile app for patients, which allows a patient to grant access to their existing PKB account. Note: these examples are written for sandbox.patientsknowbest.com; replace the URL as needed if you are connecting to a different environment. Client loads PKB's authorization endpoint in a browserDescription The client should generate a URL as follows, and then send the user to that URL in a browser.
Parameters
Example An example of a complete URL is shown below. https://sandbox.patientsknowbest.com/apiAuthorize.action?response_type=code&client_id=myClientId&redirect_uri=https://client.example.com/cb&scope=PATIENT&state=ANTI_CSRF_12345 Error handling If there's a problem with the request, PKB will show an error page in the browser. Description The user will either do this and click "Approve", or they can click "Deny". If the user clicks "Approve" and the authentication is successful, PKB will generate an Authorization Code. This will be passed back to the client as a URL parameter whilst redirecting the user to the specified redirect_uri. If a redirect_uri was not specified then the single redirect URI already known to be associated with the Client ID will be used. Note: the authorization code is bound to the Client ID and the redirection URI; the client will need to use the same redirection URI for the next step as well. Parameters
Example An example redirect is shown below. Note that the authorization code is provided as the "code" parameter, and the "state" parameter provided by the client in the intial request is also appended to the URL. https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=ANTI_CSRF_12345 Error handling If user clicks "Deny" (or if the authentication fails, or there is another error), then the redirect will include an "error" parameter instead of the "code" parameter. An example redirect is shown below. https://client.example.com/cb?error=access_denied&state=ANTI_CSRF_12345 Client exchanges authorization code for an access tokenRequestDescription Once you have an authorization code, you can swap this for an access token (and possibly a refresh token too).
Parameters
An example of a complete URL is shown below (parameters are shown in the URL for convenience, but implementations should send them in the body of the POST). https://sandbox.patientsknowbest.com/apiToken.action?grant_type=authorization_code&client_id=myClientId&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https://client.example.com/cb ResponseDescription PKB responds with the access token in JSON, and possibly a refresh token too. Parameters
Example HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "scope":"patient" } Error handling The authorization code is only valid for a short duration. If that duration expires, or if another occurrs, then an error response is returned. Example Error HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "error":"invalid_request" } See section 5.2 for a full list of error response codes. Client exchanges refresh token for new access tokenRequestDescription An access token is only valid for a short duration (normally 10 minutes). After that, a new access token can be requested using a refresh token. This will be possible until the session expires (unless your Client ID is configured to have non-expiring sessions). Refresh tokens can only be used once. If one is submitted that has previously been used, all active tokens for that session will be revoked.
Parameters
An example of a complete URL is shown below (parameters are shown in the URL for convenience, but implementations should send them in the body of the POST). https://sandbox.patientsknowbest.com/apiToken.action?grant_type=refresh_token&client_id=myClientId&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&scope=PATIENT ResponseDescription PKB responds with a new access token in JSON, and possibly a refresh token too (if the session hasn't expired). Same as for the initial token request above. Error handling Same as for the initial token request above. |
Developer documentation > OAuth 2.0 >