OAuth2 Authorization Code Flow#

The Authorization Code Flow lets the client exchange an authorization code for an ID or access token.

oauth2 client authorization flow

  1. The user agent (browser) access the application, on e.g. https://my.application, and is redirected to the Argus OAuth authorization page, requesting authorization with response type “code”:

  2. If not logged into Argus, the user is redirected to the Argus Login page, and then back to the OAuth authorization page

  3. If the current user is permitted to access the specified client, Argus issues an authorization code, and redirects the user back to the redirectURI:

  4. The external application uses the authorization code to authenticate against Argus, using a form URL-encoded POST request:

    curl -XPOSThttps://api.mnemonic.no/authentication/v1/oauth/token -d \
  5. Argus returns a Bearer token to the client, which is a valid Argus user session, with a short lifetime.

    To use this token, the OAuth client must use an Authorization:Bearer header:

     Authorization: Bearer someuser/Pheifoo1dainoofa1uede5booxe0ahQu

The OAuth client application can now use the Bearer header to issue API operations on behalf of the authorizing user.


The OAuth session must be refreshed within the refresh timeout. If at the time of refresh, the authorizing user is logged out, the OAuth session will be rejected.

The OAuth session is constrained to the permissions of the authorizing user, in addition to the constraints imposed by configuration. The session will have the permissions which constitutes the intersection of the users permissions, and the constraints configured on the client.