Authentication

CXM supports the OAuth2 authorization code grant to achieve single sign-on. This follows the general process where the user is redirected to CXM to authenticate and then sent back to a given redirect URI with a single-use authorization code.

  • Authorization Code - The standard OAuth flow where the user is asked to 'authorize' your application before being redirected back with a code

Authorization Code

In order to request an access token, you must first request a code from the authorization page in CXM. Visit the page, providing the following GET parameters:

parameter value
client_id The public id for your OAuth client
response_type code
redirect_uri One of the URIs in the allowed list for you OAuth Client
state A single use string that will be returned with your code. This should be validated by your application to protect against CSRF

Example URL to redirect user to:

https://cxm.example.com/q/oauth/v2/auth
    ?client_id=zbueiup9h80s487asgc4s4gss4kww4cwsgk0owk4gc8s4kkg4
    &response_type=code
    &redirect_uri=https://myapp/oauth-handler
    &state=ABCDEF

CXM will ask you to sign in at this point if you are not already authenticated. If successful you may be asked to authorise the application, depending on whether or not this has been set as required within the CXM Integrations Hub.

User is prompted by CXM to authorise the application User is prompted by CXM to authorise the application

Once you accept, you are then redirected back to the redirect_uri, containing the code and state in the query string.

https://myapp/oauth-handler
    ?code=OWFkNTM3NjY2NDZjODhmYzRhYWU4NTFlN2E1MDk4ZGYxMWZlMjNlNzBjNTU1NWNmYWM4ZmRmNThiMDBhNzNkOA
    &state=ABCDEF

If there are errors, then the redirect will include the error and description:

https://myapp/oauth-handler
   ?error=access_denied
   &description=The+user+denied+access+to+your+application

The authorization code is valid for 30 seconds. A code can be used only once.

Use the code to request an access token:

curl -X POST https://cxm.example.com/q/oauth/v2/token \
    -F client_id=zbueiup9h80s487asgc4s4gss4kww4cwsgk0owk4gc8s4kkg4 \
    -F client_secret=4008txjcmcg0scg04oo8wsko054dg2f8ss4gsog0wgg8wwgw4w \
    -F grant_type=authorization_code \
    -F code=OWFkNTM3NjY2NDZjODhmYzRhYWU4NTFlN2E1MDk4ZGYxMWZlMjNlNzBjNTU1NWNmYWM4ZmRmNThiMDBhNzNkOA \
    -F redirect_uri=https://myapp/oauth-handler \

Example response:

{
   "access_token":"YTkxZjgwMWM3M2YxNzgzZjY5MmE2NDA1M2MxODdmZWE2NWZkMzFlYzhmMmM2YzA5NDVlMmFkZjczZThkYTJkMg",
   "expires_in":3600,
   "token_type":"bearer",
   "scope":null,
   "refresh_token":"MTMwMWU0MDU1NTgzNjM1YzUwYzcwMDc3Zjc2M2U4OTk0ODRlNWY5YjI1NzE0Mjc0MWI2ODQ5NTBmODBiN2Q1OQ"
}

results matching ""

    No results matching ""