OAuth Migration Guide
This guide is to help external developers to migrate their app from the legacy OAuth proxy (https://api.getgo.com/oauth/) to the new OAuth proxy (https://api.getgo.com/oauth/v2/) which is fully compliant to the OAuth Standard (RFC 6749). Since many things changed, but the proxy is now fully OAuth V2 compliant, external 3rd party libraries for handling the access and refresh tokens can now be used.
Differences between Legacy and new RFC 6749 compliant OAuth Proxy
Legacy OAuth Proxy
https://api.getgo.com/oauth/
/authorize calls
Opening the URL https://api.getgo.com/oauth/authorize?client_id={consumerKey} in a web browser was already sufficient to start the Authentication Flow. A redirect_uri or state parameter could be given.
/access_token calls
Common Changes in the Request - Making a GET or POST request to https://api.getgo.com/oauth/access_token with the parameters or POST data grant_type={authorization_code|password|refresh_token}&client_id={consumerKey}&... will retrieve an access token and refresh token.
Common Changes in the Response - The response of a call to https://api.getgo.com/oauth/access_token was looking like:
{
"access_token": "o4yGgdsjaklfjdsklfadiygQ9",
"expires_in": "30758399",
"refresh_token": "9i4fdasfdsfdsfdsavnUbDw1",
"organizer_key": "1252383132521359990",
"account_key": "3792314532151329654",
"account_type": "",
"firstName": "Jon",
"lastName": "Karmak",
"email": "jk@example.com",
"platform": "GLOBAL",
"version": "2"
}
Access token request
Making a GET or POST request to https://api.getgo.com/oauth/access_token with the parameters or POST data grant_type=authorization_code&code={responseKey}&client_id={consumerKey} will retrieve an access token and refresh token.
Direct login
Note: This action is only available for legacy clients.
Making a GET or POST request to https://api.getgo.com/oauth/access_token with the parameters or POST data grant_type=password&user_id={username}&password={password}&client_id={consumerKey} will retrieve an access token and refresh token.
Refresh Token
Making a GET or POST request to https://api.getgo.com/oauth/access_token with the parameters or POST data grant_type=refresh_token&refresh_token={refresh_token}&client_id={consumerKey} will retrieve a new access token and refresh token.
Changes in New OAuth v2 Proxy
https://api.getgo.com/oauth/v2/
/authorize calls
The additional response_type=code parameter is required and needs to be added to the request:
https://api.getgo.com/oauth/v2/authorize?response_type=code&client_id={consumerKey}&state={state}
Hint: It is recommended to use the state parameter to prevent cross-site request forgery as described in the RFC-6749 Section 4.1.1.
/access_token calls
Common Changes in the Request - The proxy endpoint changed from /access_token to just /token:
https://api.getgo.com/oauth/v2/token
Only POST is supported and no GET. When switching from a GET to a POST request the POST content is urlencoded, you need the following header to set the correct content type:
"Content-Type: application/x-www-form-urlencoded"
This header replaces the previous header:
"Content-Type: application/json"
The POST body has to look like:
grant_type=authorization_code&code={responseKey}
This body replaces the query parameter used before. The client_id is no longer been given as a parameter. Instead, it has to be given as base64 encoded Authorization header, together with the client_secret:
curl -X POST \
'https://api.getgo.com/oauth/v2/token' \
-H 'Authorization: Basic {Base64 Encoded client_id and client_secret}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=authorization_code&code={responseKey}'
This authentication header is gathered by base64-encoding the string "{clientid}:{clientsecret}", e.g. via an online tool (like https://www.base64encode.org/) or by calling the btoa method in JavaScript.
Common Changes in the Response - The response of a call to https://api.getgo.com/oauth/v2/token is looking like:
{
"access_token": "o4yGgdsjaklfjdsklfadiygQ9",
"token_type": "Bearer",
"refresh_token": "9i4fdasfdsfdsfdsavnUbDw1",
"expires_in": 3600,
"account_key": "3792882212321659654",
"account_type": "",
"email": "jk@example.com",
"firstName": "Jon",
"lastName": "Karmak",
"organizer_key": "18889842069694200",
"version": "3"
}
The deprecated property platform is no longer there. The new variable token_type is there and set to "Bearer". The type of the expires_in is no longer a string. It is now an integer value. The expires_in parameter will be set to 3600 seconds. That means, that such an access token will only be valid for one hour and needs to be refreshed (by using the refresh token) in order to make further API calls. And version is now set to "3"
Access Token Request
All the common request and response changes above.
The redirect_uri parameter is (only) required, when it has been given in the /authorize call above. In this case, its value must match with what has been given in the /authorize call.
If it hasn't been given in the /authorize call, it will be ignored.
curl -X POST \
'https://api.getgo.com/oauth/v2/token' \
-H 'Authorization: Basic {Base64 Encoded client_id and client_secret}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=authorization_code&code={responseKey}'
Direct Login (Deprecated)
This authentication API is now deprecated. All new clients will not be able to use this API. If you have a client for which the direct login works, that will continue to work for now.
All the common request and response changes above.
The user_id parameter changed to username.
curl -X POST \
'https://api.getgo.com/oauth/v2/token' \
-H 'Authorization: Basic {Base64 Encoded client_id and client_secret}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=password&username={username}&password={password}'
Refresh Token
All the common request and response changes above.
curl -X POST \
'https://api.getgo.com/oauth/v2/token' \
-H 'Authorization: Basic {Base64 Encoded client_id and client_secret}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&refresh_token={refresh_token}'
- How much do the LogMeIn APIs cost?
- How do I get started?
- How do I get support for the APIs?
- Can I access more than one product API?
- What are the rate limits for the APIs?
- How to login or create a developer account
- How to create an OAuth client
- How to obtain an access token
- How to obtain and use refresh tokens
- How to use Postman API collections
- GoToWebinar webhooks
- How to use GoToWebinar webhooks
- How to use GoToConnect API to fetch Account Users and Lines
- Date and time conventions
- Paging, Sorting & Filtering Output
- OAuth Migration Guide
- Direct Login Migration
- Migrating from GoToConnect to LogMeIn Authentication API
- Introduction
- Java SDK
- .NET SDK
- SDK License Agreement