Skip to main content
OAuth 2.0 is an open standard protocol for secure authorization of applications without users having to directly share their credentials. Instead, an application gains access to an API by using tokens.
TypeURL
Authorize Endpoint (Production)https://oauth2.coreapi.io/oauth2/auth
Token Endpoint (Production)https://oauth2.coreapi.io/oauth2/token
JWK Keys (Production)https://oauth2.coreapi.io/.well-known/jwks.json
Authorize Endpoint (Preview)https://oauth2.preview.coreapi.io/oauth2/auth
Token Endpoint (Preview)https://oauth2.preview.coreapi.io/oauth2/token
JWK Keys (Preview)https://oauth2.preview.coreapi.io/.well-known/jwks.json
To get access to OAuth2 clients, create a support ticket.
Redirect URLs must use https. The exceptions are http://localhost and http://127.0.0.1.

Basic Concepts of OAuth 2.0

  • Authorization Server: Verifies the identity of the user and issues access tokens.
  • Resource Server: The server that provides the protected resources (e.g., an API).
  • Client: The application that wants to access the API.
  • Resource Owner: The user who decides whether an application gets access to their resources.
  • Access Token: A temporary token used for accessing the API.
  • Refresh Token (optional): A long-term token used to renew an access token.

Grant Types

Depending on the application scenario, there are different grant types that determine how a client obtains an access token. The following grant types are supported by Fynn:

Authorization Code Flow (with or without PKCE)

The Authorization Code Flow is an OAuth2 process designed for web applications to securely authenticate users and grant access to protected resources. This flow is especially recommended for server-side applications, as sensitive credentials are not stored directly in the frontend.
  • Use case: Web applications & mobile apps
  • Security: Very high (tokens are managed only in the backend)
Authorization Code Flow Process
  1. Redirect to Authorization Request: The application redirects the user to the authorization server’s login page. Here, the application specifies which permissions (scopes) it needs.
  2. User Authentication and Consent: The user logs in to the authorization server and is asked whether they want to grant the application the requested access.
  3. Receive Authorization Code: After successful authentication, the user is redirected back to the application. A one-time authorization code is passed.
  4. Exchange Code for Access Token: The application sends the received code along with a secret key to the authorization server. If the request is valid, the server issues an access token.
  5. Access Protected Resources: With the received access token, the application can now access protected APIs and retrieve data or perform actions on behalf of the user.

Proof Key for Code Exchange (PKCE)

PKCE (Proof Key for Code Exchange) is an extension of the Authorization Code Flow specifically designed for public clients such as single-page and mobile apps. It prevents the authorization code from being misused through attacks (e.g., code interception). How PKCE works:
  • The client generates a random code verifier (a long, random string).
  • From this, a code challenge is derived (a transformed version of the verifier, usually as a SHA-256 hash).
  • When exchanging the authorization code for an access token, the client must send the original code verifier.
  • The server verifies the challenge and only issues the access token if the values match.
Since no secret key needs to be stored, PKCE is particularly important for clients without secure storage (e.g., browser applications).

Extensions of the Authorization Code Flow

  1. Refresh Token for Long-term Access: To prevent the user from having to re-authenticate constantly, a refresh token can additionally be requested. This allows the application to obtain new access tokens without further user input. The scope offline is required for this.
  2. ID Token for User Information (OpenID Connect): If the application also needs information about the logged-in user, an ID token can be requested. This is issued as a JWT (JSON Web Token) and contains, for example, the user ID, email address, or other identity attributes. The scope openid is required for this.
  3. Scopes for Permission Control: The authorization process can be controlled through various scopes. These define which data or functions the user grants the application.

Example

Scenario: A web application wants to authenticate the user and gain access to a protected API.
  1. User is redirected for authorization
The application redirects the user to the authorization server: 
GET https://oauth2.coreapi.io/oauth2/auth
    ?response_type=code
    &client_id=client123
    &redirect_uri=https://my-app.com/callback
    &scope=openid offline entitlements.read
    &state=randomString
  1. User logs in The user is redirected to Fynn’s login form. After logging in, Fynn asks whether the application should be granted access.
If the user agrees, the server returns an authorization code: 
GET https://my-app.com/callback?code=AUTH_CODE&state=randomString
  1. Application exchanges the code for an access token The application now sends a POST request to the authorization server:
POST https://oauth2.coreapi.io/oauth2/token
Content-Type: application/x-www-form-urlencoded

client_id=client123
&client_secret=superSecret
&grant_type=authorization_code
&code=AUTH_CODE
&redirect_uri=https://my-app.com/callback
The server returns an access token, refresh token, and JWT token (OpenID), depending on the specified scopes: 
{
    "access_token": "...",
    "expires_in": 3600,
    "refresh_token": "...",
    "id_token": "...",
    "scope": "...",
    "token_type": "Bearer"
}

Refresh Token

When the access token expires, the application can request a new token with a refresh token: 
POST https://oauth2.coreapi.io/oauth2/token
Content-Type: application/x-www-form-urlencoded

client_id=client123
&client_secret=superSecret
&grant_type=refresh_token
&refresh_token=abcd1234
&scope=offline openid entitlements.read
The server returns an access token, refresh token, and JWT token (OpenID), depending on the specified scopes: 
{
    "access_token": "...",
    "expires_in": 3600,
    "refresh_token": "...",
    "id_token": "...",
    "scope": "...",
    "token_type": "Bearer"
}
When a client uses a refresh token to obtain a new access token, a new ID token is also issued if the original token exchange already contained an ID token. The new ID token has an updated expiration time but retains the same auth_time value (the time of the user’s original authentication). The auth_time claim in the ID token is used to determine whether the user’s authentication session is still active.

Scopes

Scopes define which permissions an application receives within an access. They limit access to specific APIs and functions. The following scopes are currently supported:
ScopeMeaning
openidAccess to the user’s OpenID identity (for OIDC)
offlineAllows requesting refresh tokens
entitlements.readAllows retrieving the entitlements endpoint
Scopes are specified both in the authorization request and when creating the OAuth2 client.

OpenID Connect

OpenID Connect extends OAuth’s authentication capabilities by introducing components such as an ID token, which is issued as a JSON Web Token (JWT). OpenID Connect enables standardized authentication by building on OAuth 2.0 and ensuring that applications can reliably verify a user’s identity. To use OpenID Connect, the scope openid must be added. Subsequently, an ID token is also returned when retrieving tokens.

ID Token

The ID token is conceptually comparable to an ID card, as it contains a series of JSON claims about the user, such as:
  • sub (Subject) - Unique identifier of the user
  • name - Full name of the user
  • email - User’s email address
  • iat (Issued At) - Time when the token was issued
  • exp (Expiration) - Expiration time of the token
  • iss (Issuer) - Identity provider (IdP) that issued the token
  • aud (Audience) - The target application for which the token is intended
Decoded ID Token
{
  iss: "https://oauth2.coreapi.io",
  sub: "some-identity-id",
  aud: "some-client-id",
  exp: 1311281970,
  iat: 1311280970,
  nonce: "KxSty13b2L",
  name: "Jane Doe",
  given_name: "Jane",
  family_name: "Doe",
  email: "jane@example.org",
  email_verified: true,
}

Validating ID Token (JWK)

The ID token can be validated using the JWK keys. The necessary endpoint for this is: https://oauth2.coreapi.io/.well-known/jwks.json, https://oauth2.preview.coreapi.io/.well-known/jwks.json.
ID tokens must not be used for API access.

OpenID Connect Logout

The following flows are currently supported:
FeatureFront-ChannelBack-Channel
Logout MechanismUser is redirected via browserServer-to-server request
End Client SessionThrough cookie or session invalidation in the browserDirectly on the server (e.g., token revocation)
Browser Required?YesNo
Suitable ForWeb apps with session-based loginSecurity-sensitive applications without client-side interaction

OpenID Connect Front-Channel Logout 1.0

For this, we need a Logout URI. Please share it with us. How it works:
  • When a user logs out, Fynn redirects the user agent (browser) to the registered Logout URI.
  • The OAuth2 client application can then also log the user out in your own system, e.g., by:
    • Deleting an authentication cookie
    • Invalidating the user session

OpenID Connect Back-Channel Logout 1.0

For this, we need a Logout URI. Please share it with us. When a user logs out, an HTTP POST request with Content-Type application/x-www-form-urlencoded and a logout_token is sent to the configured URL. The logout_token is a JWT signed with the same key used to sign OpenID Connect ID tokens. Therefore, the logout_token should be validated using the public key for ID tokens, which can be retrieved via /.well-known/jwks.json. The logout_token contains the following claims:
  • iss (Issuer) - Identifier of the issuing OpenID provider: https://oauth2.coreapi.io or https://oauth2.preview.coreapi.io
  • aud (Audience) - The client ID of the OAuth2 client for which this logout token is intended.
  • iat (Issued At) - Time when the token was issued. Can be used to determine the age of the token.
  • jti (JWT ID) - Unique identifier of the JWT to prevent replay attacks. The token should only be used once.
  • events - Contains the entry http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a logout token. The corresponding value MUST be a JSON object and SHOULD be (empty JSON object).
  • sid (Session ID) - A session ID that links a specific session to an ID token. This is passed as a parameter during the logout call.