Följ

OAuth2

Exor Live uses OAuth2 to provide its users to authorize third-party applications.

 

Requirements/Support

Registration

To receive an access token, you will need to register the domain of the application. This is used to identify your application, and so this must be registered in order for the API to function. For development purposes the `localhost` domain has also been whitelisted and so you can test using this domain.

When you have registered, you will receive an app id and a secret app id.

Contact ExorLive to register your application.

The OAuth authorization process

At a basic level, the process is as follows:

  1. Your application requests access and gets an unauthorized request token from ExorLive's server.
  2. ExorLive asks the user to grant you access to the required data.
  3. Your application gets an request token from ExorLive's server.
  4. You exchange the request token for an access token.
  5. You use the access token to request data from ExorLive's servers.

Scopes

A scope defines what actions you are authorized to use.

Scopes are combined using a single space, eg. "read_master read_profile".

'read_profile' is needed for all forms of interaction.

ReducedUser RegularUser Administrator
  • create_session
  • read_master
  • read_profile
  • write_profile
  • read_workout
  • read_calendar
  • read_contact
  • authorize_oauth
  • write_workout
  • write_calendar
  • write_contact
  • admin_organization
  • admin_unit
  • admin_user

How to obtain a valid OAuth Access Token

Start by redirecting the user to to the following url:

https://auth.exorlive.com/Providers/OAuth/Authorize.aspx?response_type=code&client_id=APP_ID&redirect_uri=REDIRECT_URI&scope=SCOPES

The redirect_uri parameter needs to point to a page on your domain.

After authorization the URL specified in redirect_uri will receive a query parameter called `code` containing the authorization code.

This authorization code must be exchanged for an access token by issuing a POST to the following url:

https://auth.exorlive.com/Providers/OAuth/Token.ashx

using the following data

grant_type=authorization_code&client_id=APP_ID&client_secret=APP_SECRET&code=AUTHORIZATION_CODE&redirect_uri=REDIRECT_URI

Obs: Set the content-type header to

Content-Type: application/x-www-form-urlencoded

The redirect_uri parameter needs to be the same used to request the authorization code.

If successful, the response will contain the following

1
2
3
4
5
6
7
8
9
10
11
12
{
    // the token to use for accessing the api
    "access_token": "...",
    // the token to use to refresh the access token
    "refresh_token": "...",
    // the type of token received
    "token_type": "...",
    // the scopes authorized by this token
    "scope": "...",
    // the number of seconds this token will last
    "expires_in": "..."
}

The access_token, refresh_token, scope and expires_in needs to be stored for in order to use the API optimally. Prior to any usage you should check if the access token is still valid (using the expires_in propety), and if not refresh it.

An access token usually expires after 10 minutes.

You can keep the refresh token indefinitly (or until the user himself revoke it) and any time you need a new access token, you can use the refresh token to get a new access token (see below).

How to refresh an expired OAuth Access Token

In order to refresh an access token, post to the following URL

https://auth.exorlive.com/Providers/OAuth/Token.ashx

using the following data

grant_type=refresh_token&client_id=APP_ID&client_secret=APP_SECRET&refresh_token=REFRESH_TOKEN&redirect_uri=REDIRECT_URI

The redirect_uri parameter needs to be the same used to request the authorization code.

If successful, the response will contain the following

1
2
3
4
5
6
7
8
9
10
11
12
{
    // the token to use for accessing the api
    "access_token": "...",
    // the token to use to refresh the access token
    "refresh_token": "...",
    // the type of token received
    "token_type": "...",
    // the scopes authorized by this token
    "scope": "...",
    // the number of seconds this token will last
    "expires_in": "..."
}

How to obtain a pre-authorized Access Token using the Application credentials

If your application is authorized on the organization level, then it can obtain pre-authorized access tokens without user interaction.

In order to obtain an authorization code for the pre-authorized access token, issue a GET to the following URL

Content type: "application/x-www-form-urlencoded"
https://auth.exorlive.com/Providers/OAuth/Authorize.aspx?user_id=USERID&response_type=code&client_id=APP_ID&client_secret=CLIENT_SECRET&redirect_uri=REDIRECT_URI&scope=SCOPES

If successful, the response will contain the following

1
2
3
4
{
    // the code to exchange for the access token
    "code": "..."
}

This code can now be exchanged for a regular access token.