Server-side web apps should use the 'Authorization Code Grant' flow as specified by The official OAuth 2.0 Authorization Framework.
Below is a guide to get started using this authorization flow.
Your OpenAPI Application
When an application is created for you on OpenAPI, you will receive the following application details:
Name | Description | Example |
---|---|---|
AppUrl | A URL uniquely representing your app. | http://localhost/mytestapp |
AuthenticationUrl | The URL of the Saxo Bank authentication & authorization server. | https://sim.logonvalidation.net/ |
AppKey | The Application key identifying your application. | 1234-5678-9101 |
AppSecret | The Application "secret" identifying your application. | abcdefghijklmn |
OpenApiBaseUrl | Base URL for calling OpenAPI REST endpoints. | https://gateway.saxobank.com/sim/openapi/ |
These can be mapped to the necessary OAuth parameters:
OAuth Parameter | Saxo App Value | Example |
---|---|---|
client_id | AppKey | 1234-5678-9101 |
client_secret | AppSecret | abcdefghijklmn |
redirect_uri | AppUrl | http://localhost/mytestapp |
authorization_url | AuthenticationUrl + '/authorize' | https://sim.logonvalidation.net/authorize |
token_url | AuthenticationUrl + '/token' | https://sim.logonvalidation.net/token |
Below parameters are determined by the developer: | ||
response_type | Must always be set to 'code' | code |
state | Randomly generated string used by the client to maintain state between the request and callback. | y90dsygas98dygoidsahf8sa |
scope | Not used |
Authorization Request
To initiate the authentication flow, redirect the client to the /authorize with the required parameters in the query string. Make sure to set the content-type to 'application/x-www-form-urlencoded'.
Example:
GET /authorize?response_type=code &client_id=1234-5678-9101 &state=y90dsygas98dygoidsahf8sa &redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp
Once the user is logged in, he will be redirected back to the provided redirect_url with an authorization code as a query parameter.
HTTP/1.1 302 Found Location: http://localhost/mytestapp?code=09ccbf1c-ec0d-4da2-bcce-a0ba39f57771&state=y90dsygas98dygoidsahf8sa
Access Token Request
Once the authorization code has been obtained, it can be exchanged for an access token by sending a POST request to the /token endpoint. This request needs to be authenticated using HTTP Basic Auth with your client_id as username and client_secret as password. The basic auth should be a base64 encoded string in the following format: "client_id:client_secret".
POST /token HTTP/1.1 Host: sim.logonvalidation.net Authorization: Basic MTIzNC01Njc4LTkxMDE6YWJjZGVmZ2hpamtsbW4= Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=09ccbf1c-ec0d-4da2-bcce-a0ba39f57771 &redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp
If your OAuth library does not support sending the credentials as HTTP Basic Auth, we also accept them as part of the post body:
POST /token HTTP/1.1 Host: sim.logonvalidation.net Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=09ccbf1c-ec0d-4da2-bcce-a0ba39f57771 &redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp &client_id=1234-5678-9101 &client_secret=abcdefghijklmn
The response to this request will contain an access_token and a refresh_token:
{ "access_token" : "eyJhbGc.eyJvYWEiOiIwMDA0NCIsImlzcQ.gElDA_9M0_eDr6Jw", "expires_in": 1200, "token_type": "Bearer", "refresh_token": "5e7fa3d2-5e13-4736-80c1-9c3e5cde660b", "refresh_token_expires_in": 2400 }
Using the Refresh Token
If you were provided with a refresh token you can use it to keep the connection alive by exchanging it for a new access and refresh token within it's lifetime.
To do this, send another request to the /token endpoint with 'grant_type=refresh_token':
POST /token HTTP/1.1 Host: sim.logonvalidation.net Authorization: Basic MTIzNC01Njc4LTkxMDE6YWJjZGVmZ2hpamtsbW4= Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=5e7fa3d2-5e13-4736-80c1-9c3e5cde660b &redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp
See the code sample in JavaScript on the Authorization Code Grant.