Step 3: Obtain authorization
Added by IBM contributorIBM | Edited by IBM contributorAlex Leiskau on February 20, 2015
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

Authorization is required to access to content that belongs to IBM Connections Cloud™ resource owners. The authorization process is browser based and must be initiated by the resource owner.
The authorization operation gets the verification code for the request token that was received in Step 2: Get a request token. The request token expires in 10 minutes, so the application must make sure that the token is verified before it expires. To do that, the application must put the request token in the browser and redirect LotusLive™ to the following URL:


The following image shows the authorization process in more detail:

Obtain authorization

The following required parameter is sent during the authorization process:

Table 1. Parameters
The request token received in Step 2: Get a request token. Example URL:

After Connections Cloud receives the request, the following steps happen:
  1. Connections Cloud prompts the resource owner to log in via the browser. A successful login is required to continue.
  2. Connections Cloud confirms that the request token is valid. The request token expires in 10 minutes. If the token has expired, Connections Cloud shows an error message to the resource owner. If the token is not found or was already verified, an error message is shown to the resource owner in the browser.
  3. If the token is valid, Connections Cloud checks the security policy to make sure the resource owner is authorized to use the application. The company administrator provisions resource owners to use applications that are listed in the Integrated Apps page of the administration section in Connections Cloud. After resource owners are subscribed to the application, they are entitled to use the application. In this step, the entitlement-based policy makes sure the user is really entitled to the application. If not, an error message is shown.
  4. Note: This policy check is not enforced in certain situations. It is not enabled on E1. It is also not enforced for users who have guest subscriptions and not paid subscriptions.
  5. If the entitlement check is successful, resource owners see a prompt to authorize access to their data. This prompt is a legal requirement.
  6. The resource owner has a choice whether to let the application to access their content. If they select Allow, the browser is redirected back to the callback URL that was specified in Step 2: Get a request token with the following parameters:
Table 2. Parameters
The request token.
The verifier code that Connections Cloud hands over to the application.

For example, if the resource owner grants the permission to access their content, the browser is redirected to a URL that look like this:

If the resource owner clicks Deny instead, the browser is still redirected back to the callback URL. However the verifier code is set as empty, and an oauth_error=oauth_denied parameter is attached to the URL, for example: denied

Parent topic: OAuth 1.0a APIs for web server flow
Previous topic: Step 2: Get a request token
Next topic: Step 4: Get the access token