...

state (highly recommended): An (often randomly) generated value used by the client to maintain state between the request and callback. The parameter will be returned unchanged in the callback.

scope (optional): The scope of the resources that the access token should provide access to. Possible values are:

...

state (highly recommended): A (often randomly) generated value used by the client to maintain state between the request and callback. The parameter will be returned unchanged in the callback.

scope (optional) : The scope of the resources that the access token should provide access to. Possible values are:

• "none": The default, single sign on only, no access to data

• "person: Manage person records

• "group": Manage groups

• "document": Manage documents and reviews

• "workflow": Manage tasks and workflows

• "crs": Manage studies in CRS

• "crso": Manage studies in CRSO

• "all": Manage any resource type

Multiple scopes can be provided as a space separated list, e.g. "person document", but "all" or "none" must stand alone. If no scope is specified, "none" is used (note: the default is not all scopes registered with the client). Only scopes registered with the client are allowed. 

(the same as in scope description above)

Multiple scopes can be provided as a space separated list, e.g. "person document", but "all" or "none" must stand alone. If no scope is specified, "none" is used (note: the default is not all scopes registered with the client). Only scopes registered with the client are allowed. 

The authentication The authentication and consent screen is displayed as for the server-side flow. Once completed, the browser is redirected back to the redirect URI (using a HTTP 302 status code) with the following parameters added to the fragment component of the redirect URI, i.e. after the hash sign:

...

In case of an error condition, depending on the error type, an error message will either be displayed directly to the end user (if there is a problem with the client ID or redirect URI), or it will be provided as an error parameter in the fragment component of the redirect URI to the client. See the specification section 4.2.2.1 for details.

Resource Owner Password Credentials

The Resource Owner Password Credentials flow allows client to obtain an access token using resource owner's credentials (username and password). The Password grant is one of the simplest OAuth grants and involves only one step: client uses resource owner's username and password to make POST request to the server to exchange password for access token.  This authorization grant type requires that the application collect the user’s password.

POST request is done with follwoing parameters:

grant_type (required): Must be set to "password" for this flow.

username(required): Must be set to resource owner usrename.

password(required): Must be set to resource owner password.

client_id(required): Must be set to identifier of the client that was obtained during client registration.

scope (optional): The scope of the resources that the access token should provide access to. Possible values are:

...

"none": The default, single sign on only, no access to data

...

"person: Manage person records

...

"document": Manage documents and reviews

...

"crs": Manage studies in CRS

...

"crso": Manage studies in CRSO

...

client ID or redirect URI), or it will be provided as an error parameter in the fragment component of the redirect URI to the client. See the specification section 4.2.2.1 for details.

Resource Owner Password Credentials

The Resource Owner Password Credentials flow allows client to obtain an access token using resource owner's credentials (username and password). The Password grant is one of the simplest OAuth grants and involves only one step: client uses resource owner's username and password to make POST request to the server to exchange password for access token.  This authorization grant type requires that the application collect the user’s password.

POST request is done with follwoing parameters:

grant_type (required): Must be set to "password" for this flow.

username(required): Must be set to resource owner usrename.

password(required): Must be set to resource owner password.

client_id(required): Must be set to identifier of the client that was obtained during client registration.

scope (optional) (the same in scope description above).

...

Access code Response

The response to the POST request is a JSON object (MIME type "application/json") like this:

...

grant_type (required): Must be set to "client_credentials" for this flow.

scope (optional) : The scope of the resources that the access token should provide access to. Possible values are:(the same as in scope description above).

• "none": The default, single sign on only, no access to data

• "person: Manage person records

• "group": Manage groups

• "document": Manage documents and reviews

• "workflow": Manage tasks and workflows

• "crs": Manage studies in CRS

• "crso": Manage studies in CRSO

• "linked_data": Access to linked data resources

• "all": Manage any resource type

...