Frequently Asked Questions

If the callback fails for any reason you will need to send the user through the auth flow again.

The OAuth 2.0 spec (section 3.1.2 of RFC 6749) requires that a redirection URI must be an absolute URI. The use of wildcards in redirect URI is not supported.

enableHR Open API support integrations via three-legged OAuth2. We support the authorization_code grant and refresh_tokens

Access tokens are valid for 30 minutes

Unused refresh tokens expire after 14 days. If you don't refresh your access token within 14 days the user will need to reauthorize your app. When you perform a token refresh, you should replace your existing refresh token with the new one returned in the response. If for whatever reason, you don't receive the response you can retry refreshing your existing refresh token for a grace period of 30 minutes.

You can use any OAUTH2 client to connect to our Authentication Authorisation Server (AAS). We have used Spring Security OAUTH, Spring Security 5 libraries, and POSTMAN to test our API’s

The configurations you would need to connect to our AAS are as follows:

Item Comments
Client ID We will provide this to customer
Client Secret We will provide this to customer
Client Authentication Method Basic
Redirect Uri Template A URL on customer server where we redirect to once their user has authenticated an approved access. Customer will provide this to us
Authorization Uri https://login.enablehr.com/oauth/authorize
Token Uri https://login.enablehr.com/oauth/token
Check Token Uri https://login.enablehr.com/oauth/check_token
User Info Uri https://rest.enablehr.com/users/self

On your website, there would be a link to connect to enableHR. When the user clicks on the link they would be redirected to https://login.enablehr.com/oauth/authorize?client_id=<CLIENT ID>r&redirect_uri=<YOUR REDIRECT URI>&response_type=code&scope=<SCOPES REQUESTED>&state=<SOME STATE TO VERIFY>. This will bring up the enable HR login page. Users will have to type in their username and password and approve any scopes that were requested above. When the user login to our Authentication and Authorisation Server, an approvals screen will appear and the user will need to approve the scopes prior to retrieving the token. If no scopes are approved you will not receive a token. If this is successful a code will be provided in the redirect URI https://<YOUR REDIRECT URI>?code=N_aFQt&state=<SOME STATE TO VERIFY>. You can use the code to now get the access token and refresh token from the Token Uri given above. You can verify the token using the Check Token Uri given above. Any subsequent calls to our https://rest.enablehr.com would use the above Access Token in the Authentication header. Authentication: Bearer <the access token goes here>. And the scopes requested are from our YAML.

Client ID is shared via email to an authorised user. Client Secret is shared via email within the attached zip file. The zip file is encrypted and the password to open the file will be provided to you by SMS to the authorised user. The zip file contains one line which is the client secret. You will need to ensure to keep this safe as this will allow an intruder to access your data on enableHR.

This redirect URI endpoint is where you will receive the OAUTH2 auth code. The auth code will then need to be exchanged for the OAUTH2 access token. The access token can then be used in subsequent calls to retrieve data from enableHR.
© 2021 enableHR · All rights reserved