For most of the API calls, you will need to pass an access_token. There are two ways to get an access token. The first and preferred way is by using an authorization code. By using the auth code your app will get a long lived token that can be refreshed. The second way is by using implicit grant and gives a short lived token.

Passing the token

Prefered way

Pass the token in the header

Example:

curl -XGET -H 'Authorization: Bearer [access_token]' 'https://www.id.net/api/profile'

Query parameter

Fallback

You can also query the API including the access_token as a query parameter

Example:

curl -XGET -H 'https://www.id.net/api/profile?access_token=[access_token]'

Authorization Code

They are granted by using response_type = code.

Long lived token

Access tokens granted by this mean are long lived token. They expire after 1 year.

After user allowed your site, id.net will redirect back the user to your redirect_uri with additional query parameter:

  • code, the grant code
  • state, the state you pass to prevent Cross Site Scripting (optional, null by default)
Location: "http://mysite.com/auth/idnet/callback?code=[code]&state=[state]"

Single Use

The authorization code can only be used a single time.

The code you retrieve is not the access_token but an intermediate code to get the real access_token

In order to get a real access_token your server needs to request it.

Server to server request

Request only the access token from your server. The end-user must not know the value of the access_token_

The request must be done via HTTP Method POST

Example:

curl -XPOST 'https://www.id.net/oauth/token' -d 'grant_type=authorization_code' -d 'client_id=[APP_ID]' -d 'client_secret=[APP_SECRET]' -d 'code=[code]'

The response should be a JSON :

{
  "access_token":"b2c8f5309589b90132750cd83ed4e519ec8b9a62dce22c2f43e340c06b4921b1",
  "refresh_token":"a3f3d78db4caacb8157624b5050485f70159ba11be08f1876e45fb1c743b7280",
  "token_type":"bearer",
  "expires_in":31536000,
  "scope":"[]"
}

Implicit Grant

They are granted by using response_type = token.

Short lived token

Access tokens granted by this mean are short lived token. They expire after 6 hours.

Security and support

Due to many security concerns, using these tokens are not recommended.
Some API will not work using short lived access token.

After a user has granted permissions to your app, id.net will redirect them back using the redirect_uri. Otherwise, using the JS interface, a callback can be used to get the token without redirects.

The redirect will return the following parameters:

  • access_token, the access_token
  • expires_in, number of seconds before the token expires
  • token_type, the type of the token (Bearer by default)
Location: "http://mysite.com/auth/idnet/callback#access_token=[access_token]&expires_in=21600&token_type=bearer"

For more details about the OAuth protocol, see the specification  OAuth 2.0  rfc6749