At moment we only support the Authorisation code and the Authorisation code with PKCE flow. In the future, we will be looking at implementing other flows, and if there is one in particular that you’re interested in, please let us know, and we’ll prioritise that.
The PKCE RFC includes a detailed flow description, from authorization requests through an access token. The following steps describe our implementation of the flow.
The Authorization code with PKCE flow, PKCE for short, makes it possible to securely perform the OAuth exchange of client credentials for access tokens on public clients without requiring access to the Client Secret at all. This makes the PKCE flow advantageous for single-page JavaScript applications or other client-side apps where keeping secrets from the user is a technical impossibility.
There are a couple of things that you will need to do when you set everything up for the first time.
First, ask us for your CLIENT_ID, CLIENT_SECRET, AUTH_HOSTNAME, and SERVER_API_HOSTNAME. For integration and testing purposes, we will create a sandbox environment for you to play with, but once we go live, these values will change.
Lastly, you will need to provide a REDIRECT_URI. We currently only support HTTPS URLs, as per the OAUTH 2.0 RFC, so please make sure you use HTTPS, even when testing.