Server-side web apps should use the 'Authorization Code Grant' flow as specified by The official OAuth 2.0 Authorization Framework.
Below is a guide to get started using this authorization flow.
Your OpenAPI Application
When an application is created for you on OpenAPI, you will receive the following application details:
A URL uniquely representing your app.
|The URL of the Saxo Bank authentication & authorization server.|
|The Application key identifying your application.|
|The Application "secret" identifying your application.|
|Base URL for calling OpenAPI REST endpoints.|
These can be mapped to the necessary OAuth parameters:
Saxo App Value
|AuthenticationUrl + '/authorize'|
|AuthenticationUrl + '/token'|
|Below parameters are determined by the developer:|
|Must always be set to 'code'|
|Randomly generated string used by the client to maintain state between the request and callback.|
To initiate the authentication flow, redirect the client to the /authorize with the required parameters in the query string. Make sure to set the content-type to 'application/x-www-form-urlencoded'.
Once the user is logged in, he will be redirected back to the provided redirect_url with an authorization code as a query parameter.
Access Token Request
Once the authorization code has been obtained, it can be exchanged for an access token by sending a POST request to the /token endpoint. This request needs to be authenticated using HTTP Basic Auth with your client_id as username and client_secret as password. The basic auth should be a base64 encoded string in the following format: "client_id:client_secret".
If your OAuth library does not support sending the credentials as HTTP Basic Auth, we also accept them as part of the post body:
The response to this request will contain an access_token and a refresh_token:
Using the Refresh Token
If you were provided with a refresh token you can use it to keep the connection alive by exchanging it for a new access and refresh token within it's lifetime.
To do this, send another request to the /token endpoint with 'grant_type=refresh_token':