{"_id":"550ada9e921b7d0d0022888f","version":{"_id":"550ada9d921b7d0d00228876","forked_from":"550a3b2542fff40d00ae5ffb","project":"550a379f635c660d00527fd8","__v":3,"createdAt":"2015-03-19T14:18:05.245Z","releaseDate":"2015-03-19T14:18:05.245Z","categories":["550ada9d921b7d0d00228877","550ada9d921b7d0d00228878","550ada9d921b7d0d00228879","550ada9d921b7d0d0022887a","550ada9d921b7d0d0022887b","550ada9d921b7d0d0022887c","550ada9d921b7d0d0022887d","5523e61e71c0542100993493","55246f72ccc28a0d0062c560"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"3.0.0","version":"3.0.0"},"project":"550a379f635c660d00527fd8","__v":13,"user":"550a378e635c660d00527fd7","category":{"_id":"550ada9d921b7d0d00228878","version":"550ada9d921b7d0d00228876","__v":4,"pages":["550ada9e921b7d0d0022888c","550ada9e921b7d0d0022888d","550ada9e921b7d0d0022888e","550ada9e921b7d0d0022888f","55121961a575b32f007c79f1","55297f32b316811900149fac","5595b553f4437019002888fc"],"project":"550a379f635c660d00527fd8","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-03-19T02:45:48.278Z","from_sync":false,"order":2,"slug":"authentication","title":"Authentication"},"updates":["562dc0fa4376430d006f16cc"],"next":{"pages":[],"description":""},"createdAt":"2015-03-19T02:54:50.596Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":4,"body":"[block:callout]\n{\n  \"type\": \"info\",\n  \"title\": \"Requirements & Notes\",\n  \"body\": \"- Application must be of type **installed**.\\n- Should only be used in client side JavaScript applications.\\n\\nRead the [OAuth Overview](doc:oauth-overview) for more information.\"\n}\n[/block]\nUnlike [Script based OAuth](doc:oauth-script), Implicit OAuth can not authenticate using a username & password. The main difference is that the program must wait for a user of the application to authenticate with reddit and get back an authorization code before moving on.\n\n## Initial Config\n\nIn the initial config, give it the OAuth settings for the application:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"var Snoocore = require('snoocore');\\n\\nvar reddit = new Snoocore({\\n  userAgent: 'test:::at:::documentation',\\n  oauth: { \\n    type: 'implicit', // required when using implicit OAuth\\n    mobile: true, // defaults to false.\\n    key: 'client_id from reddit', // Only requires the key! No secret needed.\\n    redirectUri: 'redirectUri set for your app',\\n    scope: [ 'flair', 'identity' ] // make sure to set all the scopes you need.\\n  }\\n});\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\n#### `oauth.mobile` \n\nOptional. Set mobile to true to send users to the mobile reddit website for authentication.\n\n## Getting the authentication URL\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"var state = 'foobar';\\nvar authUrl = reddit.getAuthUrl(state);\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\nFor CSRF prevention set a `state`. This field is optional. Read more on this below.\n\n## Handling the response\n\nAfter the user visits the URL that `reddit.getAuthUrl` generates, they will be presented with the option to allow or deny the app. After they allow (or deny) the application, reddit will redirect the user back to the given `redirectUri` (set in the initial config).\n\nThe following parameters will be after the hash tag (`#`) of the url. It is possible to use `window.location.hash` to pull the values out:\n\n - **access_token**\t- The `accessToken` (used below)\n - **token_type** - The string \"bearer\".\n - **expires_in** - Seconds until the token expires.\n - **scope** - The scope of the token.\n - **state** - should be the same string that was  set in the `reddit.getAuthUrl` function (if it was set).\n\nFor CSRF prevention, check that the `state` in the url parameters is the same as the `state` specified when generating the authentication url in `reddit.getAuthUrl`.\n\n## Authenticating with the returned code\n\nOnce the `accessToken` is pulled from the url, authenticate with reddit and start making calls on behalf of a user.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"var ACCESS_TOKEN = '??'; /* url parameter \\\"access_token\\\", see above */\\nvar RETURNED_STATE = '??'; /* url parameter \\\"state\\\", see above */\\n\\n// Exit if the state given is invalid. This is an optional\\n// check, but is recommended if you set a state in \\n// `reddit.getAuthUrl`\\nif (RETURNED_STATE !== state) {\\n  console.error('State is not the same as the one set!');\\n  return;\\n}\\n\\n// Authenticate with reddit by passing in the acces_token from the response\\nreddit.auth(ACCESS_TOKEN).then(function() {\\n  return reddit('/api/v1/me').get();\\n}).then(function(data) {\\n  console.log(data); // Log the response\\n});\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\nSnoocore is now successfully authenticated with OAuth.\n\n## De-Authenticating\n\nA function `reddit.deauth` is provided which will revoke the `access_token` for the current authenticated user.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"var deauthPromise = reddit.deauth();\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\nGenerally it is a good idea to call this every time the application is finished using the users data.\n\n## Renewing authentication\n\nImplicit auth does not have a refresh token. It is possible to listen for an event that will fire when the access token has expired (See [Events](doc:events)). \n\nOnce expired, the user will have to re-authenticate following the steps above.","excerpt":"","slug":"oauth-implicit","type":"basic","title":"Implicit based OAuth"}

Implicit based OAuth


[block:callout] { "type": "info", "title": "Requirements & Notes", "body": "- Application must be of type **installed**.\n- Should only be used in client side JavaScript applications.\n\nRead the [OAuth Overview](doc:oauth-overview) for more information." } [/block] Unlike [Script based OAuth](doc:oauth-script), Implicit OAuth can not authenticate using a username & password. The main difference is that the program must wait for a user of the application to authenticate with reddit and get back an authorization code before moving on. ## Initial Config In the initial config, give it the OAuth settings for the application: [block:code] { "codes": [ { "code": "var Snoocore = require('snoocore');\n\nvar reddit = new Snoocore({\n userAgent: 'test@documentation',\n oauth: { \n type: 'implicit', // required when using implicit OAuth\n mobile: true, // defaults to false.\n key: 'client_id from reddit', // Only requires the key! No secret needed.\n redirectUri: 'redirectUri set for your app',\n scope: [ 'flair', 'identity' ] // make sure to set all the scopes you need.\n }\n});", "language": "javascript" } ] } [/block] #### `oauth.mobile` Optional. Set mobile to true to send users to the mobile reddit website for authentication. ## Getting the authentication URL [block:code] { "codes": [ { "code": "var state = 'foobar';\nvar authUrl = reddit.getAuthUrl(state);", "language": "javascript" } ] } [/block] For CSRF prevention set a `state`. This field is optional. Read more on this below. ## Handling the response After the user visits the URL that `reddit.getAuthUrl` generates, they will be presented with the option to allow or deny the app. After they allow (or deny) the application, reddit will redirect the user back to the given `redirectUri` (set in the initial config). The following parameters will be after the hash tag (`#`) of the url. It is possible to use `window.location.hash` to pull the values out: - **access_token** - The `accessToken` (used below) - **token_type** - The string "bearer". - **expires_in** - Seconds until the token expires. - **scope** - The scope of the token. - **state** - should be the same string that was set in the `reddit.getAuthUrl` function (if it was set). For CSRF prevention, check that the `state` in the url parameters is the same as the `state` specified when generating the authentication url in `reddit.getAuthUrl`. ## Authenticating with the returned code Once the `accessToken` is pulled from the url, authenticate with reddit and start making calls on behalf of a user. [block:code] { "codes": [ { "code": "var ACCESS_TOKEN = '??'; /* url parameter \"access_token\", see above */\nvar RETURNED_STATE = '??'; /* url parameter \"state\", see above */\n\n// Exit if the state given is invalid. This is an optional\n// check, but is recommended if you set a state in \n// `reddit.getAuthUrl`\nif (RETURNED_STATE !== state) {\n console.error('State is not the same as the one set!');\n return;\n}\n\n// Authenticate with reddit by passing in the acces_token from the response\nreddit.auth(ACCESS_TOKEN).then(function() {\n return reddit('/api/v1/me').get();\n}).then(function(data) {\n console.log(data); // Log the response\n});", "language": "javascript" } ] } [/block] Snoocore is now successfully authenticated with OAuth. ## De-Authenticating A function `reddit.deauth` is provided which will revoke the `access_token` for the current authenticated user. [block:code] { "codes": [ { "code": "var deauthPromise = reddit.deauth();", "language": "javascript" } ] } [/block] Generally it is a good idea to call this every time the application is finished using the users data. ## Renewing authentication Implicit auth does not have a refresh token. It is possible to listen for an event that will fire when the access token has expired (See [Events](doc:events)). Once expired, the user will have to re-authenticate following the steps above.