By now I'm sure you've read the whole entire OAuth 2.0, draft 26
If you fell asleep during reading the spec, here's a summary of things you need to do to authenticate as well as ShootProof specific endpoints
Note: ShootProof OAuth uses authorization code grant type as well as Refresh Tokens
https://auth.shootproof.com/oauth2/authorization/new
Params:
Make a request with the listed parameters and the user will be taken to a login page, once successfully logged in they will be returned to your redirect url with a 'code' get parameter. You will then exchange this temporary code for an access token.
https://auth.shootproof.com/oauth2/authorization/token
Params:
Ok status
{ stat : ok },
{ access_token : S0m3aCC3ssT0k3n },
{ refresh_token : S0m3r3fr3shT0k3n },
{ token_type : bearer },
{ expires_in : 1209600 }
Fail status
{ stat : fail },
{ code : invalid_request },
{ msg : Some error message }
Error codes per OAuth section 4.2.2.1 Error Response
Access tokens last 2 weeks, though it is a good idea to refresh before the access token expires
https://auth.shootproof.com/oauth2/authorization/token
Params:
Ok status
{ stat : ok },
{ access_token : S0m3aNEWCC3ssT0k3n },
{ refresh_token : S0m3NEWr3fr3shT0k3n },
{ token_type : bearer },
{ expires_in : 1209600 }
Fail status
{ stat : fail },
{ code : invalid_request },
{ msg : Some error message }
You will be granted a new refresh_token AND access_token during refresh. It is also acceptable to refresh before you reach the expire time.
The typical browser flow will redirect to your Redirect URI in which case you will make a back end request using the temporary Auth Code to exchange for an access/refresh token
Optional Application Flow:In some cases due to security sandbox issues it is not possible to redirect back to your APP. For this case, you can optionally pass the Redirect URI 'self' instead of your own redirect URI. Passing 'self' as the URI will load the temporary token in the browser with instructions to enter the code in your APP. Then, your APP will take the code, do a back end POST request to get the access_token/refresh_token. This is exactly how our own Desktop Uploader works if you'd like to see an example.
If your application has a need to log a user out of ShootProof after completing API requests, you can deauthorize the access token with a request in the following format.
https://auth.shootproof.com/oauth2/authorization/remove?access_token=S0m3aCC3ssT0k3n