Request Service Account Authorization

Description #

In order to gain access to the calendars of a domain with an Enterprise Connect account it must be authorized by an administrator of that domain.

Example Request #

https://app.cronofy.com/enterprise_connect/oauth/authorize
    ?response_type=code
    &client_id={CLIENT_ID}
    &redirect_uri={REDIRECT_URI}
    &scope={SCOPE}
    &delegated_scope={DELEGATED_SCOPE}
    &state={STATE}

Note that the URL for this method differs from that used when authorizing an individual calendar account.

data_center_app_url required

The URL for the data center you want to communicate with. Possible choices are:

app-au.cronofy.com - 🇦🇺 Australia
app-ca.cronofy.com - 🇨🇦 Canada
app-de.cronofy.com - 🇩🇪 Germany
app-sg.cronofy.com - 🇸🇬 Singapore
app-uk.cronofy.com - 🇬🇧 United Kingdom
app.cronofy.com - 🇺🇸 United States

Find out more about Cronofy's data centers.

response_type required #

Must always be code as that is the only grant type supported by Cronofy.

client_id required #

The client_id issued to you by Cronofy to authenticate your OAuth Client. Authenticates you as a trusted client.

redirect_uri required #

The HTTP or HTTPS URI you wish the user’s authorization request decision to be redirected to.

In development this can be any value, but in production this has to be a pre-registered value. This helps us guard against phishing attacks by controlling where we return authorization codes to for your application.

We can only support wildcards in the host name for subdomains of domains under your control, eg:
https://*.example.com/auth/cronofy/callback

Otherwise, the URL must be static and we can support multiple values.

If your URL is dynamic, you should utilize the state parameter to pass variables. See our FAQ on using this to support dynamic values in your OAuth flow.

scope required #

The scope of the privileges you want the Enterprise Connect account to be granted. At least one of the following scopes must be requested:

service_account/accounts/manage to allow authorization of accounts
service_account/accounts/unrestricted_access to allow elevation of access for accounts
service_account/resources/manage to allow authorization of resources
service_account/resources/unrestricted_access to allow elevation of access for resources

Multiple scopes can be granted if separated with a space:

&scope=service_account/accounts/unrestricted_access service_account/resources/manage

delegated_scope required #

The scope of the privileges that can be granted when requesting access to users and resources. Examples include:

read_only
write_only
read_write
free_busy
free_busy_write

See the full scope list and documentation for more information.

state optional #

A value that will be returned to you unaltered along with the user’s authorization request decision.

The OAuth 2.0 RFC recommends using this to prevent cross-site request forgery.

Response URL parameters #

You will not receive a direct response to your authorization request, instead the administrator will be redirected to the redirect_uri with additional querystring parameters specified.

The responses are fully specified in section 4.1.2 of RFC 6749.

Successful response #

code #

A short-lived, single-use code to be used to make an Access Token Request.

Will always be 32 character String of ASCII characters.

state #

The value you passed for the state within the authorization request.

Error response #

error #

A single ASCII error code. The complete list is within section 4.1.2.1 of RFC 6749, these are the most commonly encountered:

access_denied the administrator declined your request
unsupported_response_type your request’s response_type was not code
invalid_scope no valid scopes were specified in your request’s scope