# OAuth1

## Grants

### Password grant

The Password Grant accepts your username and password, then returns an Access Token and a Refresh token. As mentioned before the Access Token can be used to authenticate API requests.

See also the [Password Policy User Service setting ](https://docs.extrahorizon.com/extrahorizon/services/user-service/configuration#password-policy)for more information about the password format and login attempts.

{% tabs %}
{% tab title="Javascript" %}

```javascript
await exh.auth.authenticate({
    email:'john.doe@example.com',
    password:'myPassword1234'
});
```

{% endtab %}
{% endtabs %}

{% hint style="warning" %}
Note that in case this user has MFA enabled this function will throw a `MfaRequiredError`. With the information in the error you can follow the [Mfa Grant](#mfa-grant) to complete the authentication.
{% endhint %}

### Mfa Grant

When MFA is enabled for a user and you try to authenticate using the password grant you will receive a `MfaRequiredError` . You can catch the error and use the Mfa Grant to complete the authentication.

{% tabs %}
{% tab title="Javascript" %}

```javascript
try {
  await exh.auth.authenticate({
    password: '',
    email: '',
  });
} catch (error) {
  if (error instanceof MfaRequiredError) {
    const { mfa } = error.response;

    // Your logic to request which method the user want to use in case of multiple methods
    const methodId = mfa.methods[0].id;

    await exh.auth.confirmMfa({
      token: mfa.token,
      methodId,
      code: '', // code from ie. Google Authenticator
    });
  }
  // handle other possible authentication errors
}
```

{% endtab %}
{% endtabs %}

### SSO Token Grant

You can exchange an SSO token generated by application for access tokens that can be used by another application. This way you can implement a single sign one flow between e.g. mobile and web.

{% tabs %}
{% tab title="Javascript" %}
This functional is currently not supported by Javascript SDK. You can use the raw method of the SDK to access this functionality.

```javascript
await exh.raw.post('/auth/v2/oauth1/ssoTokens/consume',{
    ssoToken: "{ssoTokenHere}"
});
```

{% endtab %}
{% endtabs %}

## Tokens

### Retrieve a list of active tokens

{% tabs %}
{% tab title="Javascript" %}
This functional is currently not supported by Javascript SDK. You can use the raw method of the SDK to access this functionality.

```javascript
await exh.raw.get('/auth/v2/oauth1/tokens');
```

{% endtab %}
{% endtabs %}

### Revoking tokens

{% tabs %}
{% tab title="Javascript" %}
This functional is currently not supported by Javascript SDK. You can use the raw method of the SDK to access this functionality.

```javascript
await exh.raw.delete('/auth/v2/oauth1/tokens/{tokenId}');
```

{% endtab %}
{% endtabs %}

## SSO

### Generate SSO Tokens

You can create a single use SSO token. Another client can consume such a token and exchange it for an authorization.

{% tabs %}
{% tab title="Javascript" %}
This functional is currently not supported by Javascript SDK. You can use the raw method of the SDK to access this functionality.

```javascript
await exh.raw.post('/auth/v2/oauth1/ssoTokens/generate');
```

{% endtab %}
{% endtabs %}