Skip to main content

Code authentication

Before You Begin

To create a new OpenId client integration, navigate to the Integrations page at Once there, you can proceed with setting up the integration.

After successful setup, an OpenId client will be created, and you can configure it by accessing its settings.

Ensure that the 'Token auth method' is set to 'None', and the 'Grant type' is set to 'Code'. These settings are essential for successful authentication.

Be sure to take note of the client ID as it will be needed later. For code authentication, you can disregard the client secret.

Finally, include a redirect URL where the user will be directed after a successful login.

Using the @elfsquad/authentication package

To make it easier for you to connect with Elfsquad, we made a package that handles the authentication for you.

We recommend you to use this package. It saves you time & you are guaranteed to have a stable interface that is updated when new functionalities are introduced.

More information about how to integrate with this package, can be found here.

Using custom code

At some point in the UI of your app, you will need to get the end user to log in, in order to gain consent to access Elfsquad's resources on the end user’s behalf.

You can do this when the end user opens the app, or you may wait until your app actually needs to access Elfsquad's resources.

Step 1: Redirecting the user

In either case, you will have to redirect the end user to the oauth2/auth endpoint in their browser. You could do this by providing a link for the end user:

<a href="{CLIENT_ID}&redirect_uri={REDIRECT_URL}&response_type=code&scope=Elfskot.Api%20offline_access%20openid%20profile&response_mode=fragment">
Click here to login

Replace the {CLIENT_ID} and {REDIRECT_URL} values in the example below with those specific to your OpenId Client.

Clicking on the link will take the end user to the Elfsquad login page. After the end user has succesfully logged in with valid credentials, the end user will be redirected back to your redirect url with the access token included as a fragment of the URL.

Step 2: Extracting the code

After completing the login, the user will be redirected back to the redirect URL. The user will be redirected to the URL with a code in the URL. This code can be exchanged for an access token.

An example of the redirect URL is shown below:

You will need to extract the code from this URL.

const reg = new RegExp('#code=(.*?)&');
const code = reg.exec(window.location.href)[1]
alert("your code is : " + code);

Step 3: Exchanging the code

The extracted code can be exchanged for an access token. This access token can be used to make requests on behalf of the user.

The token can be exchanged by sending a POST request to the endpoint.

The request requires a couple pieces of information in the body. An example is shown below.

"grant_type": "authorization_code",
"client_id" {CLIENT_ID},
"redirect_uri": {REDIRECT_URI},
"code": {CODE},

This will return a response with the following body:

"access_token": "123",
"expires_in" 3600,
"id_token": "abc",
"refresh_token": "xyz"

Step 4: Refreshing the token

By default, the token returned by the previous API call is valid for 3600 seconds (60 minutes). After this, any API call made with the token, will return a 401 unauthorized status code.

This can be fixed by making use of the refresh token returned in the previous request. This token is valid for 30 days and can be used to retrieve a fresh access token.

For this request, you will need to use the oauth2/token endpoint again, with the following body:

"grant_type": "refresh_token",
"client_id": {CLIENT_ID},
"redirect_uri": {REDIRECT_URI},
"refresh_token" {REFRESH_TOKEN}