To initiate the authorisation process, you need to create a URL with the necessary parameters that will redirect the user to the ApprovalMax system for authorisation.
your_client_id
, requested_scopes, your_redirect_uri, and random_state_value with the appropriate values specific to your application.response_type=code
: specifies that the server should return an authorisation code as the response.
client_id
: used to identify the client application making the request. It ensures that the correct client is authorised to access the requested resources.
scope
: used to define the permissions or scopes requested by the client. It specifies the level of access the client application is requesting.
redirect_uri
: specifies the URI to which the server should redirect the user after the authorisation process is completed. This URI should be pre-configured and handled appropriately in your application.
state
: a random value to maintain state and prevent Cross-Site Request Forgery (CSRF) attacks. It helps ensure the integrity of the authorisation process.
So far, the ApprovalMax Public API requires the following scopes:
https://www.approvalmax.com/scopes/public_api/write . The scope that allows to create requests (create, edit, submit).
https://www.approvalmax.com/scopes/public_api/read. The scope that allows to retrieve data.
Offline_access. In order to obtain a refresh token, it is necessary to specify the offline_access scope while initiating an authentication request through the endpoint
The "state" parameter in OAuth 2.0 is used to maintain state information between the authorisation request and the authorisation response, and it is typically used as a security measure to prevent cross-site request forgery (CSRF) attacks. While there are no strict specifications or standardised requirements for the "state" parameter in OAuth 2.0, there are some general considerations and best practices that should be followed:
Length : aim for a "state" parameter length of 16 to 32 characters to ensure compatibility with different systems and prevent issues with URL length limitations.
Unpredictability : generate the "state" parameter using a cryptographically secure random number or string generation method with a high level of unpredictability.
Encoding : properly URL-encode the "state" parameter to comply with the authorisation server's requirements.
Confidentiality : avoid including any sensitive or confidential information in the "state" parameter.
Verification and Validation : implement robust verification and validation mechanisms to ensure the integrity of the "state" parameter.
Lifetime and Expiration : configure a short lifetime and expiration time for the "state" parameter to prevent potential misuse.
Persistence and Storage : store "state" values securely and delete them promptly after they are no longer needed to protect user privacy and prevent security risks.