This flow requires special authorization from Taboola.
For more information, reach out via our online Community.
Quick summary
- Redirects the user to Taboola for authentication.
- Returns an Authorization Code that is used to obtain an Access Token and Refresh Token.
This flow is similar to the Implicit Flow, but involves an additional step. Because it is more secure, this flow is preferred over the Implicit Flow.
Flow
- User clicks on Connect within your App.
- Your App redirects the user to a Taboola login page:
[authentication_domain]/authentication/oauth/authorize/?client_id=[client_id]&redirect_uri=[redirect_uri]&response_type=code
- Note:
authentication_domain
=https://authentication.taboola.com
- User logs in and authorizes your App.
- Taboola redirects the user back to your App, using the
redirect_uri
that you provided. Acode
query param is appended to the URL, containing the authorization code:[redirect_uri]?code=[authorization_code]
You must register the
redirect_uri
with Taboola. Otherwise, the redirect will fail.
The authorization code has a 10-minute expiration period.
- Your App uses the authorization code to obtain an Access Token and Refresh Token from the
token
endpoint (not visible to the user):
POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
?client_id=[client_id] &
client_secret=[client_secret] &
code=[authorization_code] &
redirect_uri=[redirect_uri] &
grant_type=authorization_code
<?php
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://backstage.taboola.com/backstage/oauth/token",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "code=ABCDEF123456&redirect_uri=https%3A//example.com/callback&client_id=abc123&grant_type=authorization_code&client_secret=123456",
CURLOPT_HTTPHEADER => array(
"Content-Type: application/x-www-form-urlencoded"
),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
Use a POST verb with a
Content-Type
ofapplication/x-www-form-urlencoded
.
The response will look similar to the response of a Password Credentials requesti:
{
"access_token": "ab4Tk<saw\feaXcp53wF2ksasq12",
"refresh_token": "dkjsERT\fck37dSFD<skjw@sddso",
"token_type": "bearer",
"expires_in": 3600
}
A Refresh Token is returned.