I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…
From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.
“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”
So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like
and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).
Is this correct so far?
You must not include the client secret here as this defeats the security of
A correct example can be seen at:
If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).
I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…
with the username as client id and the password as the secret?
If I do this, do I still need to supply one or both of them on the
I’m not sure what you mean here. The request to make is detailed at:
You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.
ps, it doesn’t seem to make a difference so far if I use a redirect
url in the request. As I’m writing a programatic / rich client thing,
I don’t have a logical redirect URL so am unsure what to use here.
You must either have registered a redirect_uri at dev.freeagent.com in
which case you don’t have to supply it here or you must supply one on each
request. Additionally, you must do the same as you did when your requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token you
must supply the same one when requesting the access token.
Thanks for the hand holding
I’m not sure I’ve really answered your questions above. It might be work
having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to write
your own implementation.
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to email@example.com.
To unsubscribe from this group, send email to
For more options, visit this group at
Senior Software Engineer
Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
** * (We’d be super stoked!)
40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774