How to handle responses from Authlete API

Most of Authlete APIs make a response that includes "action" parameter. On implementing an authorization server with Authlete, there is a principle of processing; making a request to one of Authlete's APIs, parsing a response from the API, checking a value of "action" in the response and processing in accordance with the value.


For example, an response from /auth/authorization API includes either the following values in "action" field:

  •     BAD_REQUEST
  •     FORM
  •     INTERACTION
  •     INTERNAL_SERVER_ERROR
  •     LOCATION
  •     NO_INTERACTION

action=INTERACTION indicates that an authorization request is valid. Your authorization server is expected to generate a webpage (HTML) to authenticate a user and ask his/her consent, send the webpage to the user's Web browser,  and do some interaction with him/her. Once the auth process is done successfully, your authorization server will make a request to /auth/authorization/issue API. if unsuccessful (e.g. the user cancelled the process), the server will do a request to /auth/authorization/fail API instead. (cf. Ticket Parameter in Authorization Endpoint

action=BAD_REQUEST indicates that an authorization request is invalid and your authorization server should make a "400 Bad Request" response to Web browser. The response will be like this:

HTTP/1.1 400 Bad Request
                                            Content-Type: application/json
                                            Cache-Control: no-store
                                            Pragma: no-cache
                                             
                                            (API レスポンスに含まれる responseContent の値をここに置く)

action=LOCATION indicates that your authorization server is expected to make a "302 Found" response to Web browser. The response will be like this:

HTTP/1.1 302 Found
                                            Location: (API レスポンスに含まれる responseContent の値をここに置く)
                                            Cache-Control: no-store
                                            Pragma: no-cache


How did we do with this article?