Testing Considerations

This section suggests some things to consider when testing IoL token exchange.

• Token exchange parameter validation
• Application token generation
• Authorization callback URL
  

Token Exchange Parameter Validation

Iol sends a number of parameters to the application: for example, state and client ID that were provided in Connection URL to the data owner.  On accepting a grant of access to their data, or a rejection, these parameters can be used to perform application-specific verification and validation.  If this process fails return an appropriate HTTP response status code to IoL. Otherwise, return a HTTP OK status message along with the response application token.

Application Token Generation

The application generates the bearer token to be used by the IoL API when calling application-specific webhooks.  The IoL API places no requirements on the nature of this application token:  the application developer is free to provide an appropriate token generation mechanism.

Authorization Callback URL

This is the URL of the application-specific endpoint for token exchange between the IoL API and the application.  No authentication token should be expected with the HTTP request from IoL.