Guides
Release NoteHelpcenterStatus PageContact Us
Start typing to search…

Authenticate using authorization codes

Overview

The authorization code grant type consists in obtaining an access token on behalf of a Dailymotion account after being granted permission via a code.

This method involves the following steps:

Build your authorization page: Share your authorization URL, where your Dailymotion account can grant permission to a user to access specific resources.

Collect authorization code: Once the user is authentified, the authorization server will generate an authorization code.

Request an access token: Provide the authorization code to the authorization server to generate an access token representing the permission for this user to access the Dailymotion account protected resources.


📘

TL;DR

  1. Redirect the user to https://api.dailymotion.com/oauth/authorize?response_type=code&client_id=YOUR_API_KEY&redirect_uri=YOUR_REDIRECT_URI&scope=SCOPES
  2. Collect the authorization code from the code parameter.
  3. Send a POST HTTP request https://api.dailymotion.com/oauth/token with your client_id, client_secret, code and redirect_uri.

Implementation steps


Step 1 – Build your authorization URL

You need to build your authorization URL that includes the required parameters to be able to collect an authorization code.

The authorization URL https://api.dailymotion.com/oauth/authorize requires the following parameters:

  • response_type: Set to code to indicate that you want to receive an authorization code.
  • client_id: The API key from previous step.
  • redirect_uri: The redirection URI where the authorization server will send the user after successful authentication and consent. This URI needs to match the Callback URL of your API key. If these values are different, the authorization server will reject your request.
  • scope: Need to be defined for specific permissions or access rights (read more about scopes).

📘

If the user does not authorize your application:

Dailymotion redirects the user to the redirect_uri you specified, and adds both error and error_description parameters to the query.

📘

Dynamic redirect URI:

If your redirect_uri has to contain a dynamic part, you can add a slug to the callback URL defined on your API key level, following this model:

http://www.example.org/callback/[SLUGNAME]


Authenticate URL



Step 2 – Collect authorization code

If the user is successfully logged in, the authorization server will generate an authorization code and redirect the user to the following URL: https://your-redirect-uri?code=AUTHORIZATION_CODE

In your application’s backend or server-side code, extract the authorization code from the code parameter, and store it securely as it will be used to request an access token in the next step.


Step 3 – Request an access token using the authorization code

The authorization code can now be sent to the Dailymotion token endpoint to generate an Oauth access token.

Make a POST request to the token server https://api.dailymotion.com/oauth/token with the following parameters:

  • grant_type: set to authorization_code to specify the grant type flow.
  • client_id: the API key from previous step.
  • client_secret: the API secret from previous step.
  • redirect_uri: same URI than in previous step.
  • code: authorization code retrieved in previous step.

Authenticate URL


If your request is successful, move on to the next step.

If you encounter errors, please refer to the list of common errors to help you troubleshoot the request.

(Optional) – Prevent CSRF attacks with the state parameter

The state parameter can be used to pass a random value in the authorization URL.

This value can be used by your application to check the response legitimacy and mitigate cross-site request forgery (CSRF) attacks.

  1. Generate thestate parameter – Your application must generate a unique random string for each authorization request.
  2. Add the state parameter – Add state and its associated value as a query parameter in the authorization URL.
  3. Handle the authorization response – Once logged in, the user is redirected to the specified redirect URI which will include the state parameter passed by the application.
  4. Verify the state parameter – Your application must check the state value received in the response against the one generated earlier. If the state parameter matches, the response is legitimate.
❗️

Missing / Mismatch state value:

If the state value doesn’t match / is missing in the response, the application should consider it as a possible attack / security breach and should proceed with an investigation.

Updated 12 days ago