The authorization operation gets the verification code for the request token that was received in Step 2: Get a request token
. The request token expires in 10 minutes, so the application must make sure that the token is verified before it expires. To do that, the application must put the request token in the browser and redirect LotusLive
™ to the following URL:
The following image shows the authorization process in more detail:
The following required parameter is sent during the authorization process:
Table 1. Parameters
The request token received in Step 2: Get a request token
. Example URL: https://apps.lotuslive.com/manage/oauth/authorizeToken?oauth_token=sadhgdj67w6r8778sfsfsf
After Connections Cloud receives the request, the following steps happen:
Table 2. Parameters
- Connections Cloud prompts the resource owner to log in via the browser. A successful login is required to continue.
- Connections Cloud confirms that the request token is valid. The request token expires in 10 minutes. If the token has expired, Connections Cloud shows an error message to the resource owner. If the token is not found or was already verified, an error message is shown to the resource owner in the browser.
- If the token is valid, Connections Cloud checks the security policy to make sure the resource owner is authorized to use the application. The company administrator provisions resource owners to use applications that are listed in the Integrated Apps page of the administration section in Connections Cloud. After resource owners are subscribed to the application, they are entitled to use the application. In this step, the entitlement-based policy makes sure the user is really entitled to the application. If not, an error message is shown.
Note: This policy check is not enforced in certain situations. It is not enabled on E1. It is also not enforced for users who have guest subscriptions and not paid subscriptions.
- If the entitlement check is successful, resource owners see a prompt to authorize access to their data. This prompt is a legal requirement.
- The resource owner has a choice whether to let the application to access their content. If they select Allow, the browser is redirected back to the callback URL that was specified in Step 2: Get a request token with the following parameters:
The request token.
The verifier code that Connections Cloud hands over to the application.
For example, if the resource owner grants the permission to access their content, the browser is redirected to a URL that look like this:
If the resource owner clicks Deny
instead, the browser is still redirected back to the callback URL. However the verifier code is set as empty, and an oauth_error=oauth_denied
parameter is attached to the URL, for example:
Parent topic: OAuth 1.0a APIs for web server flow
Previous topic: Step 2: Get a request token
Next topic: Step 4: Get the access token