OAuth2

Overview

This document explains how web server applications use Olist OAuth 2.0 endpoints to implement OAuth 2.0 authorization to access Olist APIs. You will need to follow the steps below in order to authenticate and use our API:

Open Olist's authorization screen;
Confirm anti-forgery state token;
Exchange code for ID token;
Check authenticated user;
Refreshing a token (whent id token expires);

WIth the ID token you will be able to make request to our API.

Open Olist's Authorization Screen

After obtaining your sandbox credentials, the first step is to open the Olist's authorization screen. In that screen, the seller will inform his email and password and allow your application. You will need to form a GET HTTPS request with the following parameters.

client_id: The client_id informed in the registration;
email: The email generated in the registration;
response_type: Should be code.
redirect_uri: Must be the HTTP endpoint on your server that will receive the response from Olist.
scope: Should be openid email profile.
state: Should include the value of the anti-forgery unique session token, as well as any other information needed to recover the context when the user returns to your application, e.g., the starting URL.

Your URL will look like the example below:

https://auth-engine.olist.com/realms/3rd-party-sandbox/protocol/openid-connect/auth?client_id=fake_client_id&email=fake_client_id@partners-sandbox-api.olist.com&response_type=code&redirect_uri=http://localhost:8001/event&scope=openid%20email%20profile&state=TOPSECRET123

Users are required to give consent if your app requests any new information about them, or if your app requests account access that they have not previously approved.

Production Endpoint

You should retrieve the base URI from https://id.olist.com/openid/.well-known/openid-configuration/ using the key authorization_endpoint.

Confirm anti-forgery state token

The response is sent to the redirect_uri that you specified in the request. All responses are returned in the query string, as shown below:

http://localhost:8001/event?code=b0eae53a501449dfbf560d5603aafefc&state=TOPSECRET123

On the server, you must confirm that the state received from Olist matches the session token you created in the previous step. This round-trip verification helps to ensure that the user, not a malicious script, is making the request.

Exchange code for access token and ID token

The response includes a code parameter, an one-time authorization code that your server can exchange for an access token and ID token. Your server can make this exchange by sending an HTTPS POST request with the following parameters:

code: The authorization code that is returned from the authorization request;
client_id: The client_id informed in the registration;
client_secret: The client_secret obtained in the registration;
redirect_uri: Must be the HTTP endpoint on your server that will receive the response from Olist.
grant_type: Should be authorization_code.

curl --location 'https://auth-engine.olist.com/realms/3rd-party-sandbox/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization;' \
--data-urlencode 'code=0ec4918c-d2a9-4551-a0ad-9e1a686c8b08.73c28705-9985-45d4-aeb6-e80f92aa44bf.ea01e8b5-e913-45dc-84e3-14e16786a1c2' \
--data-urlencode 'client_id=fake_client_id' \
--data-urlencode 'client_secret=ne3FW89fj349N3IoJHtUSbuyk8N9nRZB' \
--data-urlencode 'redirect_uri=http://localhost:8001/event' \
--data-urlencode 'grant_type=authorization_code'

A successful response to this request contains the following fields in a JSON array:

access_token: A token that can be sent to a Olist API (Not supported).
id_token: A JWT that contains identity information about the user that is digitally signed by Olist (Only one supported).
expires_in: The remaining lifetime (in seconds) of the access token.
token_type: Identifies the type of token returned. At this time, this field always has the value bearer.
refresh_token: Refresh token.

Production Endpoint

You should retrieve the base URI from https://id.olist.com/openid/.well-known/openid-configuration/ using the key token_endpoint.

Check Authenticated User

After obtaining user information from the ID token, you should query your app's user database. Make a GET HTTP request to the partners app. If the user already exists in your database, you should start an application session for that user.

curl --location 'https://partners-sandbox-api.olist.com/v1/sellers/' \
--header 'Accept: application/json' \
--header 'Authorization: JWT {id_token}'

And this is the response example:

{
    "count":1,
    "next":null,
    "previous":null,
    "results":[
        {
            "cnpj":"12345678912345",
            "company_name":"",
            "cpf":"",
            "email":"test@olist.com",
            "id":"23da1das-fee1-40ea-9ed2-asdsa65146sd",
            "mobile_phone":"",
            "name":"Olist Teste",
            "phone":""
        }
    ]
}

Refresh Token

Access tokens periodically expire. You can refresh an access token without prompting the user for permission (including when the user is not present).

To refresh an access token, your application sends an HTTPS POST request to Olist's authorization server that includes the following parameters:

refresh_token: The refresh token returned from the authorization code exchange.
client_id: The client ID obtained from the API Console.
client_secret: The client secret obtained from the API Console.
grant_type: As defined in the OAuth 2.0 specification, this field must contain a value of refresh_token.

curl --location 'https://auth-engine.olist.com/realms/3rd-party-sandbox/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: JWT eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZel90TVpiXzdOd2NMZVVaT0tYc2NRdW8wUE4zN0JvYkNONjhFdE80WVFzIn0.eyJleHAiOjE3MzY2MjU3MzUsImlhdCI6MTczNjUzOTMzNSwiYXV0aF90aW1lIjoxNzM2NTM5MjkxLCJqdGkiOiI0NjYwZDQxZS1kOTRiLTRlZmItOTMzZS1iM2U3OWVmNGMwYjciLCJpc3MiOiJodHRwczovL2F1dGgtZW5naW5lLm9saXN0LmNvbS9yZWFsbXMvM3JkLXBhcnR5LXNhbmRib3giLCJhdWQiOiJkZXZlbG9wZXJzIiwic3ViIjoiMDYzYTlkYzctZGU5MC00N2NmLWFiZGUtMWRhMTc0MTMwY2RhIiwidHlwIjoiSUQiLCJhenAiOiJkZXZlbG9wZXJzIiwic2Vzc2lvbl9zdGF0ZSI6IjllNTViNTJjLTQyYTItNGM0My05NmEyLWFkOWFlMDk1Zjg0MSIsImF0X2hhc2giOiJjc2NLQnFvUjFOaXJhSlM0UWcyaEpRIiwiYWNyIjoiMSIsInNpZCI6IjllNTViNTJjLTQyYTItNGM0My05NmEyLWFkOWFlMDk1Zjg0MSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZXZlbG9wZXJzIiwiZW1haWwiOiJkZXZlbG9wZXJzQHBhcnRuZXJzLXNhbmRib3gtYXBpLm9saXN0LmNvbSJ9.IRrfJZkPibdOs8hatzKVwIMPcTzNB6yfL1sHoHEgmkMtdA_EUoF4d0roimwJRcdvTz1hqRYs6k-yUDGIEuV5HVafKri7ESH_1j5ih2NBmzO-MrwSb3DI1_Kadq3-yrrdWOPI2OtZOa0zWNc826JrFcDlpujhcThn_BrGJPCLzUYG1ekROduUIc3T-ZUGrJYu5_3F46657vvP16hRAHiLHXLaov1gwlF4DaYgxy9yTy5o4Gq1Nv39gMu94Rn8JYfehBgnn_s0K_Cp3zCrUXI9yd_XDwwHr-hGGw0AIx3bajVC53zV2-U5xuqlFC920F_HNVR_oD9nEJS-YU4MvHFhDQ' \
--data-urlencode 'client_id=developers' \
--data-urlencode 'client_secret=ne3FWWZRXCitN3IoJHtUSbuyk8N9nRZB' \
--data-urlencode 'refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxMDJhOWViMy00YTQ5LTQxM2QtOTNjMy00ZmM2YjU2MTk3YWQifQ.eyJleHAiOjE3MzcxNDQwOTEsImlhdCI6MTczNjUzOTMzNSwianRpIjoiMzEzM2U2YWEtM2QxMy00YmI4LWFhYWItMGY4MzY0ZGQ5NjczIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLWVuZ2luZS5vbGlzdC5jb20vcmVhbG1zLzNyZC1wYXJ0eS1zYW5kYm94IiwiYXVkIjoiaHR0cHM6Ly9hdXRoLWVuZ2luZS5vbGlzdC5jb20vcmVhbG1zLzNyZC1wYXJ0eS1zYW5kYm94Iiwic3ViIjoiMDYzYTlkYzctZGU5MC00N2NmLWFiZGUtMWRhMTc0MTMwY2RhIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRldmVsb3BlcnMiLCJzZXNzaW9uX3N0YXRlIjoiOWU1NWI1MmMtNDJhMi00YzQzLTk2YTItYWQ5YWUwOTVmODQxIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6IjllNTViNTJjLTQyYTItNGM0My05NmEyLWFkOWFlMDk1Zjg0MSJ9.yvi5KW3Nh9gki0n9_XMriH4vxxhEa0fw31lvKn5Gpag' \
--data-urlencode 'grant_type=refresh_token'

And this is the response example:

{
	"access_token": "4ffad88b774b42ec8026e9fc..",
	"refresh_token": "0f0111f2e7c64a00ad43492f2...",
	"token_type": "bearer",
	"expires_in": 86400,
	"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6..."
}

What's Next

Homologation Seller Informations Creating a Product Listing Orders