Oauth2

This service is responsible for handing out the tokens which are required for any HTTP call to other Shield public endpoints. Currently Shield OAuth2 implements the following three grant types, clients need to specify the proper one in HTTP requests to retrieve the tokens.

CLIENT_CREDENTIALS

Use the 'client_credentials' grant type if you are a client not acting on behalf of a user (fan). When you are acting on behalf of a user, for example to access to the privileges of that user, use the PASSWORD grant type.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "client_credentials"
client_id Y The issued client id
client_secret Y The issued client secret
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=client_credentials&client_id=mobile&client_secret=123

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzciIsImlhdCI6MTQzMDMzNTA4NCwiZXhwIjoxNDMwMzM1OTg0fQ.sk-sVw-Cwt9gSXlfHBwCQ6k7oOW8nSHboNVdFVLzMbg"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: null
    scope: null
}

PASSWORD

For clients acting on behalf of a user, they should use this grant type.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "password"
client_id Y The issued client id
client_secret Y The issued client secret
username Y The username of fan's account
password Y The password of fan's account
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=password&client_id=mobile&client_secret=123&username=usr&password=pwd&device_id=38fa28bc-e4f2-4a4b-aed4-4c750284dcdc

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzciIsImlhdCI6MTQzMDMzNTA4NCwiZXhwIjoxNDMwMzM1OTg0fQ.sk-sVw-Cwt9gSXlfHBwCQ6k7oOW8nSHboNVdFVLzMbg"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: "z230V0nDg7RHVkZN72At"
    scope: null
}

REFRESH_TOKEN

A refresh token is designed to provide capability for clients to renew expired access token without asking users to provide their account information again. If clients wants to renew access tokens, they can to use this grant type with issued refresh token.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "refresh_token"
client_id Y The issued client id
client_secret Y The issued client secret
refresh_token Y refresh token
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=refresh_token&client_id=mobile&client_secret=123&refresh_token=pez7TDmTaKOIXLxfly3A&device_id=38fa28bc-e4f2-4a4b-aed4-4c750284dcdc

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6bnVsbCwiaWF0IjoxNDMwMzM5MTI4LCJleHAiOjE0MzAzNDAwMjh9.84gXC_KexhvnnXbBe3J192D_cvhchTIW1LV8NojEbvM"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: "pez7TDmTaKOIXLxfly3A"
    scope: null
}

AUTHORIZATION_CODE

For clients not qualified to handle login, they should use this grant type. The auth token will be sent to a redirect url that has been previously registered with the system. This is the classic 'three-legged oauth' flow.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "authorization_code"
client_id Y The issued client id
client_secret Y The issued client secret
username Y The username of fan's account
password Y The password of fan's account
client_token N The client token (client_credentials grant type)

Notes on client_token

The client_token allows the NFL login page to act on behalf of a third-party. The client id and secret will be that of the login page itself, while the client_token is the third-party's own client token which they've sent to the login page with their request for user login.

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=authorization_code&client_id=mobile&client_secret=123&client_token=eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzciIsImlhdCI6MTQzMDMzNTA4NCwiZXhwIjoxNDMwMzM1OTg0fQ.sk-sVw-Cwt9gSXlfHBwCQ6k7oOW8nSHboNVdFVLzMbg

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6bnVsbCwiaWF0IjoxNDMwMzM5MTI4LCJleHAiOjE0MzAzNDAwMjh9.84gXC_KexhvnnXbBe3J192D_cvhchTIW1LV8NojEbvM"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: "pez7TDmTaKOIXLxfly3A"
    scope: null
}

Call to redirect url

GET <redirect url>?username=<username>&refresh_token=<refresh_token>