We recommend all applications to use the authorization code flow if possible as it provides a better end-user experience and allows for a longer session duration because of the refresh token, but if no access to a back-end server is available, the implicit flow can instead be used. Our implementation follows the 'Implicit Grant' specification in The official OAuth 2.0 Authorization Framework.
Below is a guide to get started using this authorization flow.
Your OpenAPI Application
When an application is created for you on OpenAPI, you will receive the following application details:
A URL uniquely representing your app.
|The URL of the Saxo Bank authentication & authorization server.
|The Application key identifying your application.
|The Application "secret" identifying your application.
|Base URL for calling OpenAPI REST endpoints.
These can be mapped to the necessary OAuth parameters:
Saxo App Value
|AuthenticationUrl + '/authorize'
|Below parameters are determined by the developer:
|Must always be set to 'token'
|Randomly generated string used by the client to maintain state between the request and callback.
To initiate the authentication flow, redirect the client to the /authorize with the required parameters in the query string. Make sure to set the content-type to 'application/x-www-form-urlencoded'.
Once the user is logged in, he will be redirected back to the provided redirect_url with an access token as a hash fragment.
In case of an error during the authorization process, the error will similarly be returned as a hash fragment