Stage | Description |
1 | The client application initiates the process by calling the pub.oauth:authorize service to request access to the resource owner’s data. |
2 | The pub.oauth:authorize service validates the request. If valid, the service responds with an HTML page that informs the resource owner that the client application is requesting access within a specified scope. The resource owner uses the HTML page to approve or deny the request. |
3 | When the resource owner approves the request, the approval page invokes an internal service on Integration Server. If the resource owner denies the request, an error is returned. |
4 | Integration Server generates an authorization code for the client application. The server uses HTTP redirection to instruct the resource owner's browser to transmit the authorization code to the redirection URI provided by the client application. |
5 | The service at the client application’s redirection URI passes the authorization code to the pub.oauth:getToken service on Integration Server to exchange the authorization code for an access token. Integration Server also ensures that the client is allowed to use the authorization code grant. |
6 | Integration Server issues an access token to the client application. If set to do so, the authorization server also issues a refresh token to the client. |
7 | The client application uses the access token to request a resource on the resource server. |
8 | The resource server checks with authorization server to make sure the access token is valid. If it is, the resource server checks that the requested service is within the scope for which the access token was issued. It also checks that the resource owner is authorized to access the requested resource. |