Documentation not clear about usage of `sdk.authorize()` method

[joepio]

I'm trying to set up an app using the SDK, but I can't get my client to authorise.

Here's the relevant part of the docs that I fail to understand:

My question boils down to this: what do I put in the code argument?

This is my code:

 const sdk = new SDK({
      baseUrl: 'http://api-sandbox.uphold.com',
      clientId: this.configService.get<string>('UPHOLD_CLIENT_ID'),
      clientSecret: this.configService.get<string>('UPHOLD_CLIENT_SECRET'),
    });
    this.sdk = sdk;

    sdk
      // What do I insert here?
      .authorize('code')
      .then(() => sdk.getMe())
      .then((user) => {
        console.log('sdk', user);
      });

And the error that I get:

Unhandled rejection UnauthorizedError: unauthorized
    at createError (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/@uphold/uphold-sdk-javascript/dist/core/utils/error-factory.js:20:14)
    at /Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/@uphold/uphold-sdk-javascript/dist/node/services/request-client.js:31:167
    at tryCatcher (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/promise.js:547:31)
    at Promise._settlePromise (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/promise.js:604:18)
    at Promise._settlePromise0 (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/promise.js:649:10)
    at Promise._settlePromises (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/promise.js:725:18)
    at _drainQueueStep (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/async.js:93:12)
    at _drainQueue (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/async.js:86:9)
    at Async._drainQueues (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/async.js:102:5)
    at Immediate.Async.drainQueues (/Users/joep/dev/src/gitlab.com/ontola/cash-link/node_modules/bluebird/js/release/async.js:15:14)
    at processImmediate (node:internal/timers:463:21)

Suggestions

Maybe I'm just missing something trivial, or this step is actually very simple and I'm just lacking some basic knowledge, but otherwise:

• Return a more useful error then Unhandled rejection UnauthorizedError: unauthorized
• Change the example in the docs and the description field for the code parameter which currently says Authorization code

Versions

Node v15.3.0, SDK 2.4.0

[waldyrious]

Hi @joepio — thanks for raising the issue. Indeed the documentation could be clarified. However, it seems to me that what's amiss here is background about the OAuth authorization code flow, which is not specific to this SDK. Please take a look at https://oauth.net/2/grant-types/authorization-code/ — the resources linked at the bottom of that page, in particular, offer a step-by-step overview of how it works.

As described in those pages, the authorization code needs to be is obtained via a manual process that can't be automated in code — which is a security feature: it ensures the user is shown a permissions screen to agree to, just like when you use your Google credentials to register a new account on a third-party website.

Please check our API documentation which explains how this process works in Uphold (note that it doesn't provide in-depth documentation about how OAuth works in general). You may also find it useful to check our runnable sample code for this flow.

Let me know if that helps!

[joepio]

Thanks for the help, @waldyrious !

I'm a bit confused about using the Authorization flow, as I understood that (as a business API user) I should use the Client-Crendentials flow over the Web Application flow. I've succeeded in getting a token using the Client-Credentials flow, but I don't know how to deal with the Authorization flow.

Can I use the obtained token in the SDK? The .setToken() method seems to require a refresh_token, too, which I didn't get using the Client-Credentials flow.

It seems to me that the SDK is primarily designed for the Web Application flow, and not for the Client Credentials flow. Is that correct?