# Service Account OAuth Flow Aurinko provides multiple Unified OAuth Flows backed by providers’ OAuth2 (i.e. Google, Office 365, Zoho Mail, Salesforce, HubSpot, SugarCRM) or by secure password-based authentication (i.e. MS Exchange, IMAP accounts). ## Service Account OAuth Flow *** This flow is for gaining admin/app-level access, usually requiring a Google/Office 365 admin authorization. See the following instructions related to service accounts: [Service accounts](https://docs.aurinko.io/authentication/service-accounts), [Setting up G Suite service account](http://helpdocs.yoxel.com/salesforce/setting-up-g-suite-service-account), and [Setting up Office 365 daemon app registration](https://docs.aurinko.io/authentication/service-accounts/setting-up-office-365-daemon-app-registration). The flow produces an Aurinko `service account` and an access token. Some key terms you'll encounter while integrating with Aurinko's OAuth2 flow: #### **Final Callback URL (returnUrl)** The final callback URL, also known as `returnUrl`, is the URL provided by your application and specified when calling the `/authorize` API method within Aurinko. This is where Aurinko will redirect the user after successful authorization. It's crucial to register this URL within the Aurinko settings for your application. #### Intermediate Redirect URL The intermediate redirect URL is a temporary landing page used during the OAuth2 flow. By default, Aurinko uses `https://api.aurinko.io/v1/auth/callback` for this purpose. However, developers have the flexibility to customize this URL within the Aurinko settings for their application. The following diagram shows a custom OAuth flow with your own intermediate redirect URL.

1. **Authorization request** From your application, redirect users to `https://api.aurinko.io/v1/auth/authorizeDaemon`, with the query parameters detailed in [/auth/authorizeDaemon](https://apirefs.aurinko.io/#tag/Auth/operation/authorizeDaemon). You'll have to set `responseType=code`. You'll also need to determine what permissions your application will request from users, and update the `scopes` query parameter accordingly. Aurinko provides granular authentication scopes that empower users with control over what level of access your application has to their data. See supported [Authentication scopes](https://docs.aurinko.io/authentication/authentication-scopes) for details. Here's an example of what this URL might look like once you've included all the correct query parameters: ``` https://api.aurinko.io/v1/auth/authorizeDaemon?clientId={appClientId}& &serviceType=Google &scopes=Mail.Read%20Mail.Send &responseType=token &returnUrl=... &state={myCustomState} ``` ***Redirect URI: Redirect page vs. Custom domain alias*** In case your Microsoft app registration requires redirect URIs to be under a domain you own the default Aurinko's Redirect URI may not work for you in production.

You have two options: * Contact us about provisioning a domain alias for your Aurinko app so you can use a URL like `https://aurinko.mydomain/v1/auth/callback` * Create your **intermediate redirect** page to use for redirecting all calls to Aurinko's `https://api.aurinko.io/v1/auth/callback` with the URL parameters `state`, `code`, and `scope`. See the corresponding OAuth flow in the following diagram:

2. **User Consent** Aurinko will present your user with the correct sign-in form based on the requested service type (Google, Office365, EWS). For Exchange users, the user has to enter a login name and an Exchange server URL. 3. **Getting the token** Once the user has signed in and authorized your app's access, their browser will be redirected to the `returnUrl` you provided. * **Authorization Code Grant** (`responseType=code`) If your authentication was successful Aurinko will include the `code` parameter in the query string. *Example redirect URL*: `https://your-app.com/callback?code={code}&state={state}&status=success` Make an HTTP POST call to `https://api.aurinko.io/v1/auth/token/{code}` to exchange the `code` for an `access_token`. ```bash curl -u ClientId:Secret -X POST https://api.aurinko.io/v1/auth/token/{code} ``` *Response:* ```json { "accountId": 123, "accessToken": "aurinko-account-token", } ``` See [/auth/token](https://apirefs.aurinko.io/#tag/Auth/operation/getAccessTokenByCode) for details. Make sure to securely store the `accessToken` and provide it as the `HTTP Bearer Auth` token to make API calls on behalf of the account (see [Authentication](https://apirefs.aurinko.io/#section/Authentication) details).