DocCheck Login documentation
K

# Authorization Code Flow

This diagram shows the updated OAuth2 Authorization Code Flow for Basic and Economy/Business in one shared flow. The user is included as an actor because the user starts the flow via the login button, enters credentials, and grants consent if required.

sequenceDiagram participant U as User participant W as Customer Website / Login Button participant A as Authorization Endpoint participant C as Customer Backend / redirect_uri participant T as Token Endpoint participant D as User Data Endpoint U->>W: Opens protected content alt Basic section: authorization request without scope/state W->>A: User clicks the DocCheck Login button<br/>Authorization request with grant_type, response_type, client_id, redirect_uri else Economy/Business section: authorization request with optional scope/state W->>A: User clicks the DocCheck Login button<br/>Authorization request with grant_type, response_type, client_id, redirect_uri, optional scope and state end A->>U: Show login form U-->>A: Enter credentials A->>A: Validate credentials and profession opt Economy/Business section: consent required A->>U: Show consent form U-->>A: Grant or deny consent end alt Basic section: redirect with code only A-->>C: Redirect to redirect_uri with code else Economy/Business section: redirect with code and optional state A-->>C: Redirect to redirect_uri with code and optional state C->>C: Validate state if sent end C->>T: POST /token with grant_type, client_id, client_secret, code, redirect_uri T-->>C: access_token, expires_in, optional refresh_token alt Basic section: flow ends after access token C-->>W: Confirm authentication / control access else Economy/Business section: additional user data retrieval C->>D: GET /api/users/data with Bearer access_token D-->>C: Granted user data as JSON C-->>W: Create session / control access opt Economy/Business section: renew access token C->>T: POST /token with grant_type=refresh_token T-->>C: New access_token and refresh_token end end

Basic specifics

  • No state possible.
  • No scope request possible.
  • No consent form possible.
  • No user data retrieval through the user data endpoint.
  • The flow ends after the authorization code has been successfully exchanged for an access token.

# Notes

  • The authorization code is passed to the redirect_uri after successful authentication.
  • The token exchange is performed server-side via POST /token.
  • In Basic, the access token only confirms successful DocCheck authentication; the Basic auth flow ends there.
  • With Economy/Business, scope and state can optionally already be sent in the authorization request.
  • If scopes are requested, this can require a consent form.
  • The consent form can be skipped if the user has already granted consent for this client.
  • The user data endpoint can only be used with a valid access token if license, scopes, and consent match.
ON THIS PAGE
Notes