ashley1172 avatar image
ashley1172 asked benjamin-dean commented

Creating Request to activate 3 Legged Authorization

Understanding the benefits of the 3 legged authorization I want to include this in my app.

However, I don't need the JS SDK for any other area of the App so I felt I could just simply set up a popup window that will pass the User onto the RC login screen to authenticate the app.  However there is no clear instructions on what this request URL should be as all the examples include the JS SDK.

There was some explanation in the following PDF
that sort of hints that it should be a POST request.

So based on what I have read the URL should be (for testing)

Then include, response_type, redirect_uri (which must match the App's Redirect URIs), client_id, and prompt.<REDIRECT_URI>&client_id=<APP_KEY>&prompt=login_consent

I did this by GET method - which returns me to my RedirectURI with the following parameters attached the URL


Don't know if that is a response or what.

Then I tried it with POST method (as the PDF suggested that) and that returns with

Method Not Allowed.

What I did expect was the Login Screen as the blog post here describes (

Any help would  be much appreciated.

1 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

benjamin-dean avatar image
benjamin-dean answered
Hello Ashley,

I understand your frustrations, and you will benefit from having the SDK on-hand as you work through 3-Legged Auth. Based on the fact that you are using the 'authorize()' method of the

You asked if the 3-legged Authorize URL you were using is correct, yes. That's the right one, and you have the right parameters from what I can tell in your message (and without seeing the actual HEADERs for the request you were using). Using version 2 of the JS SDK, here is how I addressed this:

var authorizeURI = platform.authUrl({
    redirectUri: process.env.RC_APP_REDIRECT_URI,
    prompt: 'login consent',
    state: process.env.RC_APP_AUTH_STATE
// Open browser to authorizeURI (which should contain all the properly formatted queryString parameters in place), '_self', '');
// This should load the RingCentral Login window, which after successfully authenticating will ask for authorization/permission approval
// At this point, the browser should redirect to GET your REDIRECT URL
// Verify parameters from the querystring
if( !qs.hasOwnProperty('code') || process.env.RC_APP_AUTH_STATE !== qs.state ) {
    // throw or log an error
} else {
    // WATCH OUT FOR THIS HACKINESS, YOU HAVE TO RETRO-FIT 'redirectUri' because of bug in V2 of JS SDK
    qs.redirectUri = process.env.RC_APP_REDIRECT_URI;
        .then(function(data) {
            // In Node.js w/Express: res.render('yourViewName', );
            // In the client: window.location('somePathToYourApp');
If the application brand ID does not match the account brand ID, you will get the error you are seeing (and no, that's not the response). I've not experienced this, but I didn't supply 'brandId' 

You should include the "state" when fetching the authorization URI, and set to a randomized key and stored in your environment variables for verification of inbound requests (that they are actually coming from RingCentral).

I have created this simple [Node.js demo application on Github]( (and I stood up the 3-legged OAuth portion for you to view). Feel free to clone it and try it on your own Sandbox app.

We have some documentation here which provides more information that is helpful:
1 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

muhammad-shahbaz1229 avatar image
muhammad-shahbaz1229 answered benjamin-dean commented
I am also having issue when using PHP for 3-Legged,
When I click on Authorize button on login consent screen,
I am receiving following error:
"Authentication code cannot be obtained successfully for the given mailbox."
1 comment
1 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

benjamin-dean avatar image benjamin-dean commented ·
Hello Muhammed,

Since PHP is a server-side language, and the redirects which occur happen on the client-side, there is need of some work to support this using PHP. I've documented the issue in the PHP SDK for you here:

In the meantime, you could use the example demo I created in Node.js here to see how I've handled the server-client requests implementing our JS-SDK and Express to handle 3-Legged OAuth. [](, feel free to add issues if you experience them.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.