OAuth Service API Reference
editOAuth Service API Reference
editThe Custom search experiences guide provides conceptual walkthrough of the steps involved in issuing search requests on behalf of users via OAuth.
In this API reference
editOAuth Service API Overview
editThe OAuth Service API provides endpoints to generate user access tokens allowing applications to issue search requests on behalf of an authenticated user. It supports both a confidential flow (which involves generating an authorization code using a Client Secret) and an implicit flow (which allows a user’s client to request access tokens directly).
The available endpoints are as follows:
# Confidential flow GET /ws/oauth/authorize?response_type=code&client_id=ca6e5332...&redirect_uri=https://one.acme.co POST /ws/oauth/token?grant_type=authorization_code&client_id=ca6e5332b...&client_secret=c5d51a8c...&redirect_uri=https://one.acme.co&code=78hasd9h324h POST /ws/oauth/token?grant_type=refresh_token&refresh_token=89d2a...&client_id=ca6e5332...&redirect_uri=https://one.acme.co # Implicit flow GET /ws/oauth/authorize?response_type=token&client_id=ca6e5332...&redirect_uri=https://one.acme.co
|
required |
|
|
required |
Client ID as generated when setting up the OAuth Application |
|
required for Confidential |
Client Secret as generated when setting up the OAuth Application |
|
required |
Location to redirect user to once the OAuth process completed. Must match a URI as configured in the OAuth Application |
|
required |
Authorization code as returned by the |
|
required |
Required for |
|
response |
Token used for issuing search requests on behalf of an authenticated user, generated from a successful OAuth flow |
|
response |
Token used for retrieving a new access token in the confidential flow |
To learn more about setting up and configuring the Search OAuth application, refer to the Configuring the OAuth Application for Search guide.
Access tokens usually expire after 2 hours. In the confidential flow a refresh token can be exchanged for a new access token. This way clients can continue to have valid access without asking the user to re-authenticate. The refresh token is issued together with the access token and it has to be exchanged for a new access token before expiration.
The Confidential approach is recommended wherever possible, as it provides more control over the generation and refresh of access tokens.