Authorization Code Grant Permissions Interface

1. Getting Authorization Code

Request URL:https://account.xiaomi.com/oauth2/authorize
Request Method:   GET
Request Data:
name required type description
client_id yes long allocated ​APP ID​ during app requests
redirect_uri yes string request redirect url, should be the same as the one in allocated APP ID (other data may be different)
response_type yes string description of response type, response_type=code
scope optional string data required for getting scope permissions, multiple applications allowed (separated by a space), see scope permission list
state optional string used for maintaining correspondence with request and callback, given to a third party after the request is successful, used for preventing CSRF attacks, and strongly recommended for use by third parties
skip_confirm optional boolean the signed in user will see a page for switching accounts, if this is not required by the app, you can add skip_confirm=true, Yellow Pages gateway should be set as true
Response Data:

Once permission request is successful, the server will give the user’s browser a redirect url with code, state, etc.:

http://example.com/example?code=CODE&state=STATE

Response Data Details:

name required type description
code yes string authorization code for getting access_token, only can be used once, and it is valid within 5 minutes
state optional string if the data is passed during the request, the same data will be returned

Once permission request is unsuccessful, the server will give the user’s browser a redirect url with error, error_description, state, etc.:

http://example.com/example?error=ERROR&error_description=ERROR_DESCRIPTION&state=STATE

Response Data Details:

name required type description
error yes int oauth error code list
error_description yes string simple error description
state optional string if the data is passed during the request, the same data will be returned

2. Getting Access Token

Request URL:https://account.xiaomi.com/oauth2/token
Request Method:   GET
Request Data:
name required type description
client_id yes long allocated ​APP ID​ during app requests
redirect_uri yes string request redirect url, should be the same as the one in allocated APP ID (other data may be different)
client_secret yes string allocated APP Secret during app request
grant_type yes string grant_type is fixed as authorization_code
code yes string Authorization Code acquired in the step above
Response Data:

Once the request is accepted, the server will return strings in json format:

  1. access_token: access token required to obtain

  2. expires_in: access token’s validity period in seconds, see Access Token Life Cycle

  3. refresh_token: refresh token, all apps return this data (valid for 10 years)

  4. scope: scope of access token, see scope permission​ list

  5. mac_key: MAC key required for interactions between HTTP and Open API, validity period same as that of access token

  6. mac_algorithm: algorithm used for for interactions between HTTP and Open API and digital signatures, currently supports HmacSha1

  7. openId: user’s openId, can be stored by the website or app for verifying the user when they sign in next time

&&&START&&& {

  "access_token": "access token value",

  "expires_in": 360000,

  "refresh_token": "refresh token value",

  "scope": "scope value",

  "token_type ": "mac",

  "mac_key ": "mac key value",

  "mac_algorithm": " HmacSha1",

  "openId":"2.0XXXXXXXXX"

}

NOTE: &&&​START​&&& can be deleted directly, preferably viareplace("&&&START&&&", "")

Once the request is denied, the server will return strings in json format:

  1. error:error code, int number, see ​oauth error code list

  2. error_description:text describe the error

&&&START&&&{

  "error": "error_code",

  "error_description": "error description"

}

NOTE: &&&​START​&&& can be deleted directly, preferably viareplace("&&&START&&&", "")