Code grant


Authorization Code Grant

If your client needs to obtain authorization from an existing PKB user in order to interact with the PKB APIs on behalf of that user, then you need to use the Authorization Code Grant workflow.

An example of that scenario would be a mobile app for patients, which allows a patient to grant access to their existing PKB account.

Note: these examples are written for sandbox.patientsknowbest.com; replace the URL as needed if you are connecting to a different environment.

Client loads PKB's authorization endpoint in a browser

Description

The client should generate a URL as follows, and then send the user to that URL in a browser.

HTTP VerbGET
URLhttps://sandbox.patientsknowbest.com/apiAuthorize.action

Parameters

ParameterTypeOptionalityDescriptionExample
response_typeQuery parameterRequiredMust be "code"code
client_idQuery parameterRequiredThe REST API Client ID previously issued to youmyClientId
scopeQuery parameterOptionalAllowed values are:
  • PATIENT
  • CLINICIAN
  • TEAMCOORD
If a value is not provided, we will permit a user from any scope that has has been enabled for your REST API Client ID.
PATIENT
stateQuery parameterOptionalAlthough this is optional, it is strongly recommended. This should be an opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery, as described in Section 10.12.ANTI_CSRF_12345
redirect_uriQuery parameterConditionalIf you have several redirect URIs registered against your Client ID, then you must specify this parameter. Otherwise, it is optional.

If you do specify this parameter, you can add additional parameters to the URI on top of the base URI that is associated with your Client ID.

Note that we do support localhost addresses and custom URL schemes for mobile apps.

You are not able to specify a new URI with this parameter.		https://client.example.com/cb

Example

An example of a complete URL is shown below.

https://sandbox.patientsknowbest.com/apiAuthorize.action?response_type=code&client_id=myClientId&redirect_uri=https://client.example.com/cb&scope=PATIENT&state=ANTI_CSRF_12345

Error handling

If there's a problem with the request, PKB will show an error page in the browser.

PKB authenticates the user, and asks if they wish to grant access

Description

In response to the request made in the previous step, PKB will show an authorization page. This will state which client is asking for access (the owner and product name), and prompt the user to enter their credentials if they wish to grant access to the client.

The user will either do this and click "Approve", or they can click "Deny".

If the user clicks "Approve" and the authentication is successful, PKB will generate an Authorization Code. This will be passed back to the client as a URL parameter whilst redirecting the user to the specified redirect_uri. If a redirect_uri was not specified then the single redirect URI already known to be associated with the Client ID will be used.

Note: the authorization code is bound to the Client ID and the redirection URI; the client will need to use the same redirection URI for the next step as well.

Parameters

ParameterTypeOptionalityDescriptionExample
codeQuery parameterRequiredThe authorization code that can subsequently be used to obtain an access tokenSplxlOBeZQQYbYS6WxSbIA
stateQuery parameterOptionalThe same value that was sent in the request, if presentANTI_CSRF_12345

Example

An example redirect is shown below. Note that the authorization code is provided as the "code" parameter, and the "state" parameter provided by the client in the intial request is also appended to the URL.

https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=ANTI_CSRF_12345

Error handling

If user clicks "Deny" (or if the authentication fails, or there is another error), then the redirect will include an "error" parameter instead of the "code" parameter.

An example redirect is shown below.

https://client.example.com/cb?error=access_denied&state=ANTI_CSRF_12345

See section 4.1.2.1 for more information on error codes.

Client exchanges authorization code for an access token

Request

Description

Once you have an authorization code, you can swap this for an access token (and possibly a refresh token too).

HTTP VerbPOST
URLhttps://sandbox.patientsknowbest.com/apiToken.action

Parameters

ParameterTypeOptionalityDescriptionExample
grant_typeForm parameterRequiredMust be "authorization_code"authorization_code
client_idForm parameterRequiredThe REST API Client ID previously issued to youmyClientId
codeForm parameterRequiredThe authorization code returned in the previous stepSplxlOBeZQQYbYS6WxSbIA
redirect_uriForm parameterConditionalIf you specified one in the original request, this must match exactly. Otherwise, this is optional.https://client.example.com/cb

Example

An example of a complete URL is shown below (parameters are shown in the URL for convenience, but implementations should send them in the body of the POST).

https://sandbox.patientsknowbest.com/apiToken.action?grant_type=authorization_code&client_id=myClientId&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https://client.example.com/cb

Response

Description

PKB responds with the access token in JSON, and possibly a refresh token too.

Parameters

ParameterTypeOptionalityDescriptionExample
access_tokenJSON parameterRequiredThis is the access token that can subsequently be used to authenticate against the relevant API, and gain access to the functionality2YotnFZFEjr1zCsicMWpAA
token_typeJSON parameterRequiredThis is always "Bearer"Bearer
expires_inJSON parameterRequiredThis indicates the number of seconds for which the access_token is valid600
refresh_tokenJSON parameterOptionalIf the session has not expired, a refresh_token will also be issued. This can be used to obtain a new access_token when the token validity period has expired.tGzv3JOkF0XG5Qx2TlKWIA
scopeJSON parameterOptionalThis will match the scope specified in step 1PATIENT


Example

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache


{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"Bearer",
    "expires_in":600,
    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "scope":"patient"
}

Error handling

The authorization code is only valid for a short duration. If that duration expires, or if another occurrs, then an error response is returned.

Example Error

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache


{
    "error":"invalid_request"
}

See section 5.2 for a full list of error response codes.

Client exchanges refresh token for new access token

Request

Description

An access token is only valid for a short duration (normally 10 minutes). After that, a new access token can be requested using a refresh token. This will be possible until the session expires (unless your Client ID is configured to have non-expiring sessions).

Refresh tokens can only be used once. If one is submitted that has previously been used, all active tokens for that session will be revoked.

HTTP VerbPOST
URLhttps://sandbox.patientsknowbest.com/apiToken.action

Parameters

ParameterTypeOptionalityDescriptionExample
grant_typeForm parameterRequiredMust be "refresh_token"refresh_token
client_idForm parameterRequiredThe REST API Client ID previously issued to youmyClientId
refresh_tokenForm parameterRequiredThe refresh token issued at the same time as the most recently valid access tokentGzv3JOkF0XG5Qx2TlKWIA
scopeForm parameterOptionalThe scope of the sessionPATIENT

Example

An example of a complete URL is shown below (parameters are shown in the URL for convenience, but implementations should send them in the body of the POST).

https://sandbox.patientsknowbest.com/apiToken.action?grant_type=refresh_token&client_id=myClientId&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&scope=PATIENT

Response

Description

PKB responds with a new access token in JSON, and possibly a refresh token too (if the session hasn't expired).

Example

Same as for the initial token request above.

Error handling

Same as for the initial token request above.
Comments