Below is a guide to get started using this authorization flow.
Your OpenAPI Application
When an application is created for you on OpenAPI, you will receive the following application details:
A URL uniquely representing your app.
|The URL of the Saxo Bank authentication & authorization server.|
|The Application key identifying your application.|
|The Application "secret" identifying your application.|
|Base URL for calling OpenAPI REST endpoints.|
These can be mapped to the necessary OAuth parameters:
Saxo App Value
|AuthenticationUrl + '/authorize'||Yes|
|AuthenticationUrl + '/token'||Yes|
|Below parameters are determined by the developer:|
|Must always be set to 'code'||Yes|
|Randomly generated string used by the client to maintain state between the request and callback.||No|
High-entropy cryptographic random STRING using the unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~", with a minimum length of 43 characters and a maximum length of 128 characters.
We suggest you follow the official recommendation which is that "the output of a suitable random number generator be used to create a 32-octet sequence. The octet sequence is then base64url-encoded to produce a 43-octet URL safe string to use as the code verifier." (https://tools.ietf.org/html/rfc7636#section-4.1)
if code_challenge_method is "Plain": code_challenge = code_verifier
|Possible values are 'Plain' and 'S256'. The client MUST use 'S256' unless otherwise agreed with Saxo Bank.||No, default is 'plain'||S256|
To initiate the authentication flow, redirect the client to the /authorize with the required parameters in the query string. Make sure to set the content-type to 'application/x-www-form-urlencoded'.
Once the user is logged in, he will be redirected back to the provided redirect_url with an authorization code as a query parameter.
Access Token Request
Once the authorization code has been obtained, it can be exchanged for an access token by sending a POST request to the /token endpoint. This request needs to be authenticated using HTTP Basic Auth with your client_id as username and client_secret as password. The basic auth should be a base64 encoded string in the following format: "client_id:client_secret".
If your OAuth library does not support sending the credentials as HTTP Basic Auth, we also accept them as part of the post body:
The response to this request will contain an access_token and a refresh_token:
Using the Refresh Token
If you were provided with a refresh token you can use it to keep the connection alive by exchanging it for a new access and refresh token within it's lifetime.
To do this, send another request to the /token endpoint with 'grant_type=refresh_token':