Step 1 — Get authorization code
Last updated December 21st, 2023
Since the authorization code grant type flow is a redirection-based flow, the OAuth2 client you have created is capable of interacting with the Knox end-customer’s user-agent (typically a web browser) and capable of receiving incoming requests (through redirection) from the Knox authorization server.
If Knox end-customer provides their consent to use requested Knox Cloud APIs, the authorization server issues an “authorization code” that can be exchanged for the access and refresh tokens to authenticate Knox Cloud API requests made by your OAuth2 client on behalf of the customer.
First, your organization portal needs to direct user-agent to Knox authorization endpoint with the request body parameters shown in the example below (for more details, please refer to Knox OAuth2 Authorization Server API).
Authorization Code request example:
https://api.samsungknox.com/ams/v1/oauth2/authorize? response_type=code& client_id=example-client& scope=ke& redirect_uri=https://example-app.com/redirect& code_challenge=1234abcd123abCd1a2BCdaBCdab3cDABcdaBcDABcD& code_challenge_method=S256& state=abcde
Include Knox OAuth2 application client_id.
Include the scope your customer is requesting access to (for example, use “ke” for Knox E-FOTA).
Include the redirect URL (redirect_uri) which you specified when creating Knox OAuth2 application.
Include a code_challenge as per the PKCE protocol.
- First generate a code verifier, which, according to the PKCE protocol, is a high-entropy cryptographic random string with a length between 43 and 128 characters. It can contain letters, digits, underscores, periods, hyphens, or tildes.
- Once the code verifier has been generated, hash it using SHA-256 code challenge method. The following are some examples of how to generate the code verifier and code challenge.
Specify code_challenge_method (Knox authorization server supports only SHA-256: code_challenge_method=S256).
The state parameter, specifies an opaque value (a random string) used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. This parameter provides protection against certain attacks like Cross-Site Request Forgery (CSRF).
Knox authenticates your customer (using a Samsung account or other identity provider) and obtain their consent for you to manage their Knox cloud services. If the customer provides the consent, they are redirected to your application’s redirect URL with the authorization code and state parameter. Verify that the value of state parameter is what you initially specified in the authorization code request.
Redirect URL example:
Is this page helpful?