Oauth2

This service is responsible for handing out the tokens which are required for any HTTP call to other Shield public endpoints. Currently Shield OAuth2 implements the following three grant types, clients need to specify the proper one in HTTP requests to retrieve the tokens.

CLIENT_CREDENTIALS

Use the 'client_credentials' grant type if you are a client not acting on behalf of a user (fan). When you are acting on behalf of a user, for example to access to the privileges of that user, use the PASSWORD grant type.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "client_credentials"
client_id Y The issued client id
client_secret Y The issued client secret
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=client_credentials&client_id=mobile&client_secret=123

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzciIsImlhdCI6MTQzMDMzNTA4NCwiZXhwIjoxNDMwMzM1OTg0fQ.sk-sVw-Cwt9gSXlfHBwCQ6k7oOW8nSHboNVdFVLzMbg"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: null
    scope: null
}

PASSWORD

For clients acting on behalf of a user, they should use this grant type.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "password"
client_id Y The issued client id
client_secret Y The issued client secret
username Y The username of fan's account
password Y The password of fan's account
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=password&client_id=mobile&client_secret=123&username=usr&password=pwd&device_id=38fa28bc-e4f2-4a4b-aed4-4c750284dcdc

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzciIsImlhdCI6MTQzMDMzNTA4NCwiZXhwIjoxNDMwMzM1OTg0fQ.sk-sVw-Cwt9gSXlfHBwCQ6k7oOW8nSHboNVdFVLzMbg"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: "z230V0nDg7RHVkZN72At"
    scope: null
}

REFRESH_TOKEN

A refresh token is designed to provide capability for clients to renew expired access token without asking users to provide their account information again. If clients wants to renew access tokens, they can to use this grant type with issued refresh token.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "refresh_token"
client_id Y The issued client id
client_secret Y The issued client secret
refresh_token Y refresh token
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=refresh_token&client_id=mobile&client_secret=123&refresh_token=pez7TDmTaKOIXLxfly3A&device_id=38fa28bc-e4f2-4a4b-aed4-4c750284dcdc

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6bnVsbCwiaWF0IjoxNDMwMzM5MTI4LCJleHAiOjE0MzAzNDAwMjh9.84gXC_KexhvnnXbBe3J192D_cvhchTIW1LV8NojEbvM"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: "pez7TDmTaKOIXLxfly3A"
    scope: null
}

GIGYA_SIGNATURE

Similar to PASSWORD grant type, but uses Gigya credential instead of user's password. It requires the client to authenticate the user via Gigya first using username/password.

Request Body (application x-www-form-urlencoded)

Name Required Description
grant_type Y This value should be "gigya_signature"
client_id Y The issued client id
client_secret Y The issued client secret
username Y The username of fan's account
gigya_UID Y UID from Gigya login response
gigya_signature Y UIDSignature from Gigya login response
gigya_signature_timestamp Y signatureTimestamp from Gigya login response
device_id N device UUID

Request (application x-www-form-urlencoded)

POST HTTPS grant_type=gigya_signature&client_id=mobile&client_secret=123&username=usr&gigyaUID=xxx&gigyaSignature=yyy&gigyaSignatureTimestamp=123&device_id=38fa28bc-e4f2-4a4b-aed4-4c750284dcdc

Response JSON

{
    access_token: "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzciIsImlhdCI6MTQzMDMzNTA4NCwiZXhwIjoxNDMwMzM1OTg0fQ.sk-sVw-Cwt9gSXlfHBwCQ6k7oOW8nSHboNVdFVLzMbg"
    token_type: "bearer"
    expires_in: 3600
    refresh_token: "z230V0nDg7RHVkZN72At"
    scope: null
}