In order to authenticate a member with their credentials, you must use the standard OAuth 2.0 Authorization Code Flow. This process involves you sending your users to a Daxko login form, and we will redirect back to your site with an authorization code that can be used to make server to server api calls.
Step 1: Settings (one-time setup)
You must first configure settings to enable the authentication form for your api username before using the form using the Save member OAuth2 settings API call.
valid_redirect_urisis a required list of URLs on YOUR site that Daxko can redirect to after a successful authentication of a member.- If you enter a non-blank value for
links.sign_up.urlandlinks.forgot_password.url, then we will render a link on our form that links to your site so that you can handle the sign up and/or forgot password flow and control that experience.
Request:
PUT /v3/partners/oauth2/members/settings
{
"settings": {
"valid_redirect_uris": [
"https://www.mysite.org/successful_login"
],
"links": {
"sign_up": {
"url": "https://www.mysite.org/my_sign_up_process"
},
"forgot_password": {
"url": "https://www.mysite.org/my_forgot_password_process"
}
}
}
}
Step 2: Build Auth Form URL
In your code, build a URL using the format below and redirect your user to Daxko Operations:
https://operations.daxko.com/online/auth
?response_type=code
&scope=client:9991+member:basic_info
&state=axjfoa83alksdfj
&client_id=my_api_username
&redirect_uri=https://www.mysite.org/successful_login
operations.daxko.com is the production Daxko Operations site and is the URL you should use when you go live. If you are testing with a non-production Daxko Operations site/api, then you’ll need to use one of the following URLs: operations-train.daxko.com, operations-demo.daxko.com, or operations-data-validation.daxko.com depending on your desired environment.
Explanation of parameters:
response_type=code- This tells Daxko that your application is initiating the authorization code flow.client_id- The api username provided by Daxko. This is the standard parameter name specified by OAuth - do not confuse this with the Daxko Operations integer client id.redirect_uri- Tells Daxko where to send the user back to after they approve the request. NOTE: This must be configured first in Step 1.scope- One or more space-separated strings indicating which permissions the application is requesting.client:NNNNsays that you’re requesting a login for for Daxko Operations client NNNN where NNNN is an integer such as 9991.member:basic_infosays that you’re requesting the member’s basic information (including member id).state- Your application generates a random string and includes it in the request. You should then check that the same value is returned after the user authorizes the app. This is used to prevent CSRF attacks.
When the user reaches this page, they will be shown a login screen.
Step 3: Redirect Back to Your Site
When the login is successful, Daxko Operations will redirect back to your site (using the redirect_uri specified in Step 2) with additional parameters in the URL.
Daxko Operations redirects the user to:
https://www.mysite.org/successful_login
?code=haOFJDr87EaP0d0tllfL0MHsVfIvJTHaOPPaTbixRXw
&state=axjfoa83alksdfj
The
codeexpires in 10 minutes.
You should validate that the
statevalue is the same value that you passed in Step 2 and throw an error on your site if they don’t match (this protects against Cross-site request forgery attacks).
Step 4: Exchange Auth Code for Access Token
Use the code from Step 3 value to make a secure API call from your server (where the API credentials are securely stored) to get an access_token for this member.
You need to make an API call to the /v3/partners/oauth2/members/token endpoint using these parameters:
| OAuth2 parameter name | Description | Example |
|---|---|---|
| grant_type | OAuth grant type | always authorization_code |
| client_id | Your Daxko API username | daxko_api_user |
| client_secret | Your Daxko API password | d9a2652cf96d734661c10d5ff2f8061f |
| code | The code in the query string from Step 3 | haOFJDr87EaP0d0tllfL0MHsVfIvJTHaOPPaTbixRXw |
| redirect_uri | The exact redirect_uri you used in step 2 | https://www.mysite.org/successful_login |
You’ll need to include your
refresh_tokenin theAuthorizationheader as in the example below for this call.
An example curl request to get an access token for this member would be:
curl -XPOST {base_url}/v3/partners/oauth2/members/token \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-F "grant_type=authorization_code" \
-F "client_id=daxko_api_user" \
-F "client_secret=d9a2652cf96d734661c10d5ff2f8061f" \
-F "code=haOFJDr87EaP0d0tllfL0MHsVfIvJTHaOPPaTbixRXw" |
-F "redirect_uri=https://www.mysite.org/successful_login" \
Response:
{
"access_token": "ayJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ...",
"expires_in": "600",
"token_type": "bearer"
}
This access token expires in 10 minutes.
Once you exchange the
codefor the access token, thecodewill no longer be valid.
Step 4: Get Member Info
You now have an access_token that is scoped to this member. The only call you currently make with this access_token is Get my member info using the access_token value in the header such as: Bearer ayJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ...
curl -XGET {base_url}/v3/members/me \
-H "Authorization: Bearer ayJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ..."
Response:
{
"member_id": "400007995-00",
"member_unit_id": "400007995",
"name": {
"first_name": "Erika",
"last_name": "Doe"
}
}
Now that you have member_id and member_unit_id, you can use these ids to make other API calls on behalf of this user (using the main access_token that you normally use - you may discard this access_token after retrieving this member’s information)