...
The mobile app obtains an edX-issued access token in either of the following ways:
- AccessToken View: username/email + password combo with the password grant_type using OAuth2grant_type=password
- curl -X POST -d "client_id=INSERT_CLIENT_ID&grant_type=password&username=INSERT_USERNAME&password=INSERT_PASSWORD" http://localhost:8000/oauth2/access_token/
- AccessTokenExchangeView: 3rd party (social-auth) OAuth 2.0 access token -> 1st party (open-edx) OAuth 2.0 access token
Expiration
Authorization Bearer
...
- curl -X POST -d "client_id=INSERT_CLIENT_ID&access_token=INSERT_THIRD_PARTY_ACCESS_TOKEN" http://localhost:8000/oauth2/exchange_access_token/INSERT_BACKEND
- For now, the supported backends are "facebook" and "google-oauth2"
Example Response
The response from either of the above endpoints would provide the edX access_token as follows:
{"access_token": "5e0a0cb315e66aa96bab910faa8c70ee0ca91236", "token_type": "Bearer", "expires_in": 2591999, "scope": ""}
Authorization Bearer
Once an access token is obtained, it can be used to authenticate the user in any API call that supports the OAuth2AuthenticationAllowInactiveUser authentication class. The access token is passed in the Bearer field of the Authorization HTTP header, as follows:
- curl -H "Authorization: Bearer INSERT_EDX_ACCESS_TOKEN" http://localhost:8000/api/mobile/v0.5/..
Expiration
OAuth2 -> Session Cookie
Additionally, the mobile app can exchange an access token for a session cookie to be used in a WebView:
- LoginWithAccessTokenView: 1st party (open-edx) OAuth 2.0 access token -> session cookie
- Returns a 204 (no content), but with the user's session cookies in the response.
OAuth2 Client Type, Client ID, and Client Secret
...