With the Auth Link API the End User capture of credentials and consent is entirely managed by Ideavate meaning less work needs to be done by the client application.

The API provides an OAuth2 endpoint that supports the Authorization Code Flow.

High level flow

The process is as follows:

1. Client Application redirects user browser to an Authorization Request link.

2. User is shown Ideavate UI to complete linking process.

3. User selects provider to link if not specified by application.

4. User shares credentials and gives consent to access.

5. User is redirect back to Client Application with an Authorization Code.

6. Client Application exchanges the Authorization Code for an access token.

7. Client Application can then use access token to query GraphQL API.

Depending on whether the client application is Public or Confidential different variants of the Authorization Code Flow are provided.

Confidential Client Application flow

For confidential clients the classic client_secret method is used during the token exchange:

In addition to the resulting access token is used by the server side (as illustrated above) the access token could be passed back to the User Agent and used for interacting with the GraphQL API directly (this is how the latter part of the Public Client Application Flow works).

Public Client Application flow

For public clients we support the PKCE extension to the Authorization Code Flow: