Does Smartsheet API support standard OAuth 2.0 for third-party auth?

Question

I am working on a web app which will need to implement the three-legged OAuth 2.0 flow. The Smartsheet API docs http://smartsheet.com/developers/api-documentation say that the API supports standard OAuth 2.0 flow. On closer inspection, however, I see that access and refresh token management operations require that instead of sending over the client secret (which appears to be the standard behavior in other APIs), I have to send over a hash, quoting "SHA-256 hash of your client secret concatenated with a pipe and the authorization code. The client_secret is never sent with the request."

Given that this is different from the standard OAuth 2.0 flow, does Smartsheet API support the standard behavior?

Answer 1

Passing the secret in the clear - on the URL - is not supporterd. The flow described in the documentation is an OAuth2 flow, though it is admittedly not the common flow that is most generally used among SaaS vendors. The OAuth2 spec allows for extensions to the token endpoint to accommodate the security requirements of the authorization server, and the SHA256 hash is one such extension.