Dynamic authorization code grant allows you to initiate an authorization code grant flow by specifying login credentials using the login prompt for your REST service, thereby providing a method to authenticate without fetching access and refresh tokens via the Configuration Manager or third-party application. Similar to authorization code grant, dynamic authorization code grant is typically used for web and native applications. It also provides secure connections by requiring multiple points of authentication before permitting access to data.

When connecting with dynamic authorization code grant flow, the driver launches the login prompt for your service in a separate browser window. After you submit your user and password credentials via the prompt, the driver exchanges your login credentials and client credentials for the Authorization Code from the location specified by the Authorization URI option. The driver then navigates to the endpoint specified by the Token URI option to exchange the authorization code for the access and refresh tokens. Finally, the application is redirected to the location provided in the Redirect Option to begin the session.

After the grant flow is complete, the driver continues to use the access token and refresh tokens to access data resources for the lifetime of the ODBC connection or until both the access and refresh token expires, whichever occurs first. If both tokens expire while the connection is still active, the driver will launch the login prompt to reinitiate the flow.

Note: The dynamic authorization grant requires the manual submission of login credentials via the login prompt for your service; therefore, the driver does not support dynamic authorization grant in headless environments.
To use an dynamic authorization code grant:
  • Configure the minimum options required for a connection:
    • If you are using a Model file, set the REST Config File (RestConfigFile) option to provide the name and location of the Model file. For example, C:/path/to/box.rest.
    • If you are using the REST Sample Path method, set the REST Sample Path (RestSamplePath) option to specify the endpoint that you want to connect to and sample. For example, https://example.com/countries/.
  • Set the Authentication Method (AuthenticationMethod) option to 51 (OAuth2-Authorization Code).
    Note: To support existing configurations, the Authentication Method option will continue to support the 24 (OAuth2) value for the dynamic authorization code grant.
  • Set the Enable Login Prompt (EnableLoginPrompt) option to 1 (enabled). When Enable Login Prompt is enabled, the driver launches the login prompt for your service in a separate browser window to initiate the OAuth grant flow.
  • Set the SQL Engine Mode (SQLEngineMode) option to 2 (Direct). Note that this is the default setting for Windows.
    Note: The dynamic authorization code grant is supported only in Direct mode.
  • Set the Client ID (ClientID) option to specify the client ID key for your application.
  • Set the Client Secret (Client Secret) option to specify the client secret for your application.
    Important: The client secret is a confidential value used to authenticate the application to the server. To prevent unauthorized access, this value must be securely maintained.
  • Set the Authorization URI (AuthURI) option to specify the endpoint for obtaining an authorization code.
  • Set the Token URI (TokenURI) option to specify the endpoint used to exchange authentication credentials for access tokens.
    Note: By default, the connector prefixes the token URI endpoint with a GET request method. However, some OAuth implementations require that the token URI endpoint be passed with a POST request method. In this scenario, the token URI endpoint must be prefixed with POST when specifying the value of the TokenURI option. For example: TokenURI=POST https://example.com/oauth2/authorize/.
  • If required by your authentication flow, set the Redirect URI (RedirectURI) option to specify the endpoint that the client is returned to after authenticating with a third-party service. Note that the value of the Redirect URI (RedirectURI) option must include the port number. For example, RedirectURI=http://localhost:80 or RedirectURI=http://localhost:8080.
  • Optionally, specify values for a custom HTTP header to be used for authentication, such as those used in tenant ID authentication:
    • Set the Authentication Header (AuthHeader) option to specify the name of the HTTP header used for authentication.

    • Set the Security Token (SecurityToken) option to specify the value of the HTTP header named by the Authentication Header option.

    For example, if you have a header value of Authorization:1a2bc34def567, you would specify a values of AuthHeader=Authorization and SecurityToken=1a2bc34def567.

    Note: You can specify multiple custom HTTP headers using the #headers in the Model file. See "Requests with custom HTTP headers" for details.
  • Optionally, set the Scope (Scope) option to specify a space-separated list of OAuth scopes to limit the permissions granted by the access token.
  • Optionally, set the OAuth Client Credentials Mode (ClientCredentialsMode) option to determine how client credentials are sent in a request to obtain an access token . Configure this option for flows that require client credentials to be specified as only a basic authentication header or only as a URL parameter.
    • If set to 0 (Default), the client credentials are sent as a basic authentication header. This is the default setting.
    • If set to 1 (Basic), the client credentials are sent as a basic authentication header.
    • If set to 2 (Url), the client credentials are sent as a URL parameter.

    • If set to 3 (Post), the client credentials are sent in the body of a POST request.

  • Optionally, specify values for any additional options you want to configure. See "Connection option descriptions" for a complete list of options.

The following example demonstrates a basic session for a Box account using an dynamic authorization code grant:

Using a connection URL:

DRIVER=DataDirect 8.0 Autonomous REST Connector;AuthenticationMethod=51;
   AuthURI=https://api.box.com/oauth2/authorize;ClientID=abcdefghij1k2lmn3o4p5qr67s;
   ClientSecret=FaZBFRsGXTaR;EnableLoginPrompt=1;SQLEngineMode=2
   RedirectURI=https://localhost:80;RestConfigFile=C:/path/to/box.rest;
   SQLEngineMode=2;TokenURI=https://api.box.com/oauth2/token;

Using an odbc.ini file with a 32-bit driver: 

Driver=ODBCHOME/lib/ivautorestxx.so;
Description=My Autonomous REST Data Source
...
AuthenticationMethod=51
...
AuthURI=https://api.box.com/oauth2/authorize
...
ClientID=abcdefghij1k2lmn3o4p5qr67s
...
ClientSecret=FaZBFRsGXTaR;
...
EnableLoginPrompt=1
...
RedirectURI=https://localhost:80
...
RestConfigFile=C:/path/to/box.rest
...
SQLEngineMode=2;
...
TokenURI=https://api.box.com/oauth2/token
...