Noah Mobile supports OAuth 2.0 ‘implicit grant flow’ Authorization in this release, and requires that client applications authorize in order to access the Noah Mobile API.
The following is an example of the steps your App needs to perform during the Authorization process.
- Your App redirects the user to Noah Server for Authorization:
- client_id (this is the same as your HIMSA AppID)
- redirect_uri = This is your server-side Redirection URI hosted by the provider or yourself
- response_type = token
- state Optional; Unique identifier to protect against CSRF
- scope Optional; what data your application can access.
The following is an example Authorization used by the HIMSA Patient Sample module:
- The user must then log into the Noah Server service and grant your App access. The login window is shown to the user with the help of the url shown below.
When the user grants access, the App must then take the code and exchange it for an Access Token using the following information:
- client_id (this is the same as your HIMSA AppID)
- client_secret
- code
- redirect_uri - Optional
- grant_type = "authorization_code"
- If the client_id and client_secret are valid, the Noah Server will invoke a callback on the redirect_uri that contains an access_token:
- access_token
- expires_in
Your App must then pull out the access token and use it when querying for data in the API. The access_token is inside of a #hash fragment (as some server side components cannot read this information). You may want to take time to extract other information that is sent along here such as the “state Optional” if it is used in the prior step.
The app will then follow the Redirection URI without the hash fragment.
The app should keep the access token for the Noah Mobile WebAPI secure and delete it when it is no longer required by the client application. An access token is valid for a limited period (determined by HIMSA) from the time it was acquired.