OAuth Authorization Flows

Detailed guide to OAuth 2.0 flows supported by USSO.

Authorization Code Flow (Recommended)

Most secure flow for web and mobile apps.

Step 1: Authorization Request

GET /oauth/authorize?
  response_type=code&
  client_id=CLIENT_ID&
  redirect_uri=REDIRECT_URI&
  scope=openid+profile+email&
  state=RANDOM_STATE

Step 2: User Approves

USSO shows consent screen. User approves.

Step 3: Authorization Response

GET REDIRECT_URI?code=AUTH_CODE&state=RANDOM_STATE

Step 4: Token Request

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=AUTH_CODE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET

Step 5: Token Response

{
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "...",
  "id_token": "..."
}

Client Credentials Flow

For machine-to-machine authentication.

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET&
scope=read:users

Refresh Token Flow

Renew access token without user interaction.

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
refresh_token=REFRESH_TOKEN&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET