Authorization

Table of contents

  1. Authorization
    1. Step 1: SMART Discovery
    2. Step 2: Authorization Request

Step 1: SMART Discovery

Before generating an authorization URL, Safire fetches the server’s SMART configuration from /.well-known/smart-configuration. You can check server capabilities to confirm confidential symmetric support before proceeding.

def check_server_capabilities
  metadata = @client.server_metadata

  unless metadata.supports_symmetric_auth?
    raise 'Server does not support confidential symmetric clients'
  end

  auth_methods = metadata.token_endpoint_auth_methods_supported
  unless auth_methods.include?('client_secret_basic')
    raise 'Server does not support client_secret_basic'
  end

  render json: {
    supports_confidential_symmetric: true,
    auth_methods:                    auth_methods,
    supports_offline_access:         metadata.scopes_supported&.include?('offline_access')
  }
end

See SMART Discovery for the full field reference and validation rules.

Step 2: Authorization Request

Authorization URL generation is identical to the public client flow — Safire handles PKCE automatically.

def launch
  auth_data = @client.authorization_url

  session[:oauth_state]   = auth_data[:state]
  session[:code_verifier] = auth_data[:code_verifier]

  redirect_to auth_data[:auth_url], allow_other_host: true
end

The generated URL parameters are identical to the public client. The only difference surfaces at token exchange, where Safire adds the Authorization: Basic header.

Offline Access — Include offline_access in your scopes to obtain a refresh token for long-lived sessions.

POST-Based Authorization — If the server advertises authorize-post, pass method: :post to authorization_url. See POST-Based Authorization for details.

Next: Token Exchange & Refresh

Back to Top ↑

Copyright © 2025-2026 Safire Contributors. Licensed under Apache 2.0.

This site uses Just the Docs, a documentation theme for Jekyll.