11 January 2019

Using the Implicit OAuth 2.0 Flow in Fortellis

I have just spent a few hours getting my demo web site to work with the Implicit OAuth 2.0 flow (https://oauth.net/2/grant-types/implicit/).

It was a very quick integration. The first thing I had to do was change my registered application on the Fortellis platform using the Developer Account option to set the Callback URL. In my case this was originally http://localhost:5000 (for testing) which I later changed to https://demoapps.fortellis.io/list-n-shift/index.html.

After setting this up I added a login button to my webpage and when that was clicked ran the following command to pass it through the Fortellis login.

window.location.href = 'https://identity.fortellis.io/oauth2/aus1p1ixy7YL8cMq02p7/v1/authorize?response_type=token&client_id=' + client_id + '&redirect_uri=' + encodeURIComponent(redirect_uri) + '&nonce=nonce&scope=openid&state=state';

This will return the user back to the original page but with an access token in the URI that looks like #access_token=…  When I then wanted to call the Fortellis platform to get data back for my application I extracted the token from the URI using

token = window.location.href.match(/access_token=(.*?)&/) && window.location.href.match(/access_token=(.*?)&/)[1];

I then just set the Authorization named pair in the API call header to be 'Authorization': `Bearer ${token}`

Where the token variable comes from the above access_token

This is a secure way to make calls to the Fortellis platform because the token is kept local to the browser session and is the recommended flow for a static web page.

Post by Julian Birkett


Phani Mantravadi
January 27, 2019 at 4:55 AM

Nice article Julian, thanks for sharing