Ideavate Developer Hub
  • Guides
    • Getting Started
      • Access Token Issuance
      • Using GraphQL
      • Example GraphQL Queries
    • Open Utilities API
      • Introduction
      • Consent and credential sharing
      • Access levels
      • Data update notifications
      • Using Auth Link
    • Data APIs
      • QR code parser
      • Vehicle lookup
  • API Reference
    • Auth Link API
      • Security
      • GET /link
      • POST /token
      • GET /status
    • GraphQL API
      • Authentication
      • Data Model
      • GET or POST /graphql
      • Error Handling
      • Webhooks
  • GraphQL Explorer
Powered by GitBook
On this page
  • Authentication of Client Application
  • Confidential Client Applications
  • Public Client Applications
  • WebView considerations
  1. API Reference
  2. Auth Link API

Security

Security considerations for the Auth Link API

PreviousAuth Link APINextGET /link

Last updated 2 years ago

Authentication of Client Application

The Auth Link API supports the plain Authorization Code Flow (RFC 6749) for confidential client applications (e.g. web app with a server side) and the PKCE (RFC 7636) extension for public client applications (e.g. Single Page (web) App or native mobile application).

Confidential Client Applications

The only requirement is that in the Authorization Code Exchange (POST /token endpoint) the client_secret parameter is given.

Public Client Applications

To implement the PKCE extension the code_challenge and code_challenge_method parameters must be passed in the initial Authorization Request (GET /link redirect).

Then, the code_verifier field must be given on the Authorization Code Exchange (POST /token endpoint).

A good guide on PKCE can be found .

WebView considerations

When embedding the Auth Link UI within a WebView you may choose to restrict access to only origins that match: https://*.open-utilities.com

here