First you'll need to create an oauth client.  The key pieces of information moving forward will be the callback URL, client ID and client secret

Next you'll create a URL going to https://rally1.rallydev.com/login/oauth2/auth and use the following parameters:

• state: a key to use to validate the auth token, typically a UUID.
• response_type: set to 'code'.
• redirect_uri: this must match the URL you specified when creating your client id and secret above.
• client_id: is the client_id that was created above.
• scope set to 'alm'.

Example URL:

https://rally1.rallydev.com/login/oauth2/auth?state=<StateOID>&response_type=code&redirect_uri=http://localhost&client_id=<CLIENT_ID>&scope=alm

Once that URL is accessed, you'll be redirected to an Authorization Request page 

After you click "Allow Access" you'll be sent back to the page that you specified above when you set up your client in Rally.  The URL will now include an auth code that you will use in your next request

Your next request will be a POST request to https://rally1.rallydev.com/login/oauth2/token using a x-www-form-urlencoded content-type

You'll add the following body parameters:

• code the 'code' you received in the URL of the previous request.
• redirect_uri: must match the redirect_uri you specified when creating the client above.
• grant_type: set to 'authorization_code'.
• client_id: set to your client id, generated when creating the client above.
• client_secret: set to your client secret, generated when creating the client above.

The access_token will be used in subsequent requests to Rally and passed as a ZSESSIONID header parameter like you would for an API key.