The access token is an opaque string that is known by our servers and ready to be used by a client website. The access token contains information about the logged in user, the expiration of the token, which project created the token as well as the scopes the user has given permissions to.
The login flow used by our Unified Login is using the official OAuth 2.0 Authorization Framework's Implicit Grant.
The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly.
The request
- The client website initiates the flow by directing the resource owner's user-agent to the Unified Login. The client website includes its client identifier, requested scope(s), local state, and a redirection URI to which the Unified Login will send the user-agent back once access is granted (or denied).
- The Unified Login authenticates the resource owner (at AdultWork.com) via the user-agent and establishes whether the resource owner grants or denies the client's access request.
- Assuming the resource owner grants access, the Unified Login redirects the user-agent back to the client website using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment.
- The user-agent follows the redirection instructions by making a request to the client website (which does not include the fragment).The user-agent retains the fragment information locally.
- The client website returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment.
- The user-agent executes the script provided by the client website locally, which extracts the access token.
- The user-agent passes the access token to the client website.
The client website constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format:
- response_type
- The value must be set to "token".
- client_id
- The client identifier. This can be found in the project details page under the Unified Login tab.
- redirect_uri
- The absolute URI to which the user agent will send the received fragment.
- scope
- The scope of the requested permissions. The Unified Login requires at least the scope userid.
- state
- This is a value used by the client to maintain state between the request and callback. The Unified Login includes this value when redirecting the user-agent back to the client.
For example, the client directs the user-agent to make the following HTTP request using TLS (with extra line breaks for display purposes only):
GET /OAuth/Authorize?response_type=token&client_id=s6BhdRkqt3&
state=xyz&redirect_uri=https%3A%2F%2Fclientwebsite%2Ecom%2Fcb&
scope=userid+age_verification_status
HTTP/1.1
Host: platform.AdultWork.com
The Unified Login validates the request to ensure that all required parameters are present and valid. The Unified Login will verify that the redirection URI to which it will redirect the access token matches the redirection URI located in the project details page under the Unified Login tab.
If the request is valid, the Unified Login authenticates the resource owner and obtains an authorization decision (by asking the resource owner to grant their permission to the scopes issued by the client website).
When a decision is established, the Unified Login directs the user-agent to the provided client redirection URI using an HTTP redirection response.
The response
If the resource owner grants the access request, the Unified Login issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the "application/x-www-form-urlencoded" format:
- access_token
- The access token issued by the Unified Login.
- token_type
- The Unified Login is using the "bearer" token type.
- expires_in
- The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
- scope
- The scope of the requested permissions. The Unified Login requires at least the scope userid.
- state
- This is a value used by the client to maintain state between the request and callback. The Unified Login includes this value when redirecting the user-agent back to the client.
An example successful response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600,
"state": "jau95cbrbut20isok7wd1908zp"
}