11 January 2019

Using the Implicit OAuth 2.0 Flow in Fortellis

I have just spent a few hours getting my demo web site to work with the Implicit OAuth 2.0 flow (https://oauth.net/2/grant-types/implicit/). It was a very quick integration. The first thing  had to do was change my registered application on the Fortellis platform using the Developer Account option to set the Callback URL. In my case this was originally http://localhost:5000 (for testing) which I later changed to https://demoapps.fortellis.io/list-n-shift/index.html.


After setting this up I added a login button to my webpage and when that was clicked ran the following command to pass it through the Fortellis login.


window.location.href = 'https://identity.fortellis.io/oauth2/aus1p1ixy7YL8cMq02p7/v1/authorize?response_type=token&client_id=' + client_id + '&redirect_uri=' + encodeURIComponent(redirect_uri) + '&nonce=nonce&scope=openid&state=state';


This will return the user back to the original page but with an access token in the URI that looks like #access_token=…  When I then wanted to call the Fortellis platform to get data back for my application I extracted the token from the URI using


token = window.location.href.match(/access_token=(.*?)&/) && window.location.href.match(/access_token=(.*?)&/)[1];


I then just set the Authorization named pair in the API call header to be 'Authorization': `Bearer ${token}`


Where the token variable comes from the above access_token


This is a secure way to make calls to the Fortellis platform because the token is kept local to the browser session and is the recommended flow for a static web page.

Post by Julian Birkett