...
All endpoints require a secure connection (HTTPS). If plain HTTP is used an error status code 403 (forbidden) is returned.
For the test version of each endpoint, replace archie.cochrane.org with test-archie.cochrane.orgreplace YYY with ZZZ.
Primary endpoints
Authorization endpoint:https://archie.cochrane.org/oauth2/auth
Token endpoint:
https://archie.cochrane.org/oauth2/token
...
Token information endpoint:
https://archie.cochrane.org/oauth2/tokeninfo
Token revoking endpoint:https://archie.cochrane.org/oauth2/revoke
Authorization Code Grant (server-side) flow
...
The server-side flow is optimised for confidential clients, although in theory it could be use by a public client. The first step is for the client to obtain an authorization code from ArchieKeycloack.
The client directs the end user's browser (e.g. in a pop-up window) to the authorization endpoint with the following query parameters ("application/x-www-form-urlencoded" format) added to the endpoint URI:
...
At the authorization endpoint the end user will have to log into Cochrane Account if he or she is not logged in already. After the authentication, provided that the scope of the request is different from "none", the end user may be presented with a consent screen where he or she has to agree to give the client access to resources in Archie within the given scope before the flow may continue. Note: the consent screen is not shown for clients hosted on *.cochrane.org domains.
Once the authentication and possible consent is in order, i.e. the end user has authorized the client to access his or her data, the browser is redirected back to the redirect URI (using a HTTP 302 status code) with the following query parameters added:
...