How to get authorization code from backend without redirecting to https://api.freeagent.com/v2/approve_app page

Can you please help how to get authorization code without redirecting to https://api.freeagent.com/v2/approve_app page.

Hi @shohelahsan,

Ewa here from the Engineering Team at FreeAgent — thanks for your message on our forum. Redirecting your user to our approval page at https://api.freeagent.com/v2/approve_app is a compulsory step in the FreeAgent API’s OAuth2 journey and I’m afraid it cannot be skipped - for security reasons, an authorisation code can only be generated once the user has logged into FreeAgent using that page.

I hope this helps, but if you have any further questions, please feel free to let me know and I’ll do my best to help out.

Best wishes,

Ewa

Dear @Ewa_Lipinska

Thanks so much for your kind reply indeed! I am afraid we are integrating your FreeAgent APIs for a mobile app (android and iOS) from our back end REST API project; in that case we need to get your access token. Is there any way to get access token directly using RPC call as I have no idea how to perform the OAuth code flow from in back end.

Looking forward to hearing from you.

Thanks
Shohel Ahsan

Hi @shohelahsan,

Sorry for the delay in response – I’m afraid the only way to get the authorization code at the moment is to have the user log in using the web view, and cannot be done purely from the backend (this has to be done once per user only, once the user has approved an app and you’ve received the OAuth tokens, you should be able to use the access and refresh tokens to access data in their account without further interaction with the FreeAgent frontend). As far as I’m aware this is the standard way of implementing the Authorization Code Grant, as you can see from the OAuth 2.0 Authorization Framework RFC:

4.1. Authorization Code Grant

The authorization code grant type is used to obtain both access
tokens and refresh tokens and is optimized for confidential clients.
Since this is a redirection-based flow, the client must be capable of
interacting with the resource owner’s user-agent (typically a web
browser) and capable of receiving incoming requests (via redirection)
from the authorization server.

If I’m misunderstanding what you’re after, could you give me an example of an API with OAuth 2.0 authorisation using Authorization Code Grant which works in the way you’d expect?

Best wishes,

Ewa