Redirects the user to Taboola for authentication.
Returns an Authorization Code that is used to obtain an Access Token and Refresh Token.
Within Taboola, this flow is reserved for special use cases only.
For more information, reach out via our online Community.
This flow is similar to the Implicit Flow (above), but involves an additional step:
- User clicks on Connect within your App.
- Your App redirects the user to a Taboola login page:
[authentication_domain]/authentication/oauth/authorize/?client_id=[client_id]&redirect_uri=[redirect_uri]&response_type=code
- Note:
authentication_domain
=https://authentication.taboola.com
You must register the
redirect_uri
with Taboola. Otherwise, the redirect will fail. For more information, reach out via our online Community.
- User logs in and authorizes your App.
- Taboola redirects the user back to your App, using the
redirect_uri
that you provided. Acode
query param is appended to the URL, containing the authorization code:[redirect_uri]?code=[authorization_code]
The authorization code has a 10-minute expiration period.
- Your App uses the authorization code to obtain an Access Token and Refresh Token from the
token
endpoint (not visible to the user):
POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
?client_id=[client_id] &
client_secret=[client_secret] &
code=[authorization_code] &
redirect_uri=[redirect_uri] &
grant_type=authorization_code
<?php
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://backstage.taboola.com/backstage/oauth/token",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "code=ABCDEF123456&redirect_uri=https%3A//example.com/callback&client_id=abc123&grant_type=authorization_code&client_secret=123456",
CURLOPT_HTTPHEADER => array(
"Content-Type: application/x-www-form-urlencoded"
),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
Use a POST verb with a
Content-Type
ofapplication/x-www-form-urlencoded
.
The response will look similar to the response of a Password Credentials request (above):
{
"access_token": "ab4Tk<saw\feaXcp53wF2ksasq12",
"refresh_token": "dkjsERT\fck37dSFD<skjw@sddso",
"token_type": "bearer",
"expires_in": 3600
}
A Refresh Token is returned.
Because it is more secure, this flow is preferred over Flow 3.