Authorization Code Flow

The user clicks Install from Workspace(Client Portal) and is redirected to APP’s Url to get Authorize parameters.

APP redirects to Eshopbox Authorization server.

Eshopbox Authorization server validates accountSlug, clientId and redirectUri from APP’s request.

1. Generate systemState using accountSlug i.e {{accountSlug}}_timestamp

2. Save accountSlug, clientId, redirectUri, scope, state ,systemState and status(Pending) in DB

Eshopbox authorization server redirects the user to the Auth0 Authorization Server(/authorize endpoint).

Auth0 Authorization Server redirects the user to the login and authorization prompt.

The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the regular web application.

Auth0 Authorization Server redirects the user back to the Eshopbox Authorization server with an authorization code and state.

Auth0 Authorization Server checks if state is same as systemState and status is pending

1. Check if accountSlug extracted from state and appId exists then update status to installed else create a new record in DB.

Eshopbox authorization server redirects the user back to APP with an authorization code .

APP sends this code to the Auth0 Authorization Server (/oauth/token endpoint) along with the application's Client ID and Client Secret.

Auth0 Authorization Server verifies the code, Client ID, and Client Secret.

Your Auth0 Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).