Authentication (OAuth 2.0)

Owned by Nathaniel Halbrooks
Last updated: Jan 29, 2024
2 min read

 

Introduction

OAuth 2.0 (RFC6749) is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.1

 

Creating an application

During application creation it will be necessary to provide the applications scopes.  OAUTH provides isolated access to enhance security. In other words providing credentials doesn't give the "keys to the kingdom"

image2019-1-7_11-16-58.png

 

Click on the "Scope Visualizer" to see the scope, API Type, Module and description.

If you wanted the credentials to read and write call forwarding data the scopes would be "rest:callforward:read rest:callforward:write".

At the top of the page you see "Selected Scopes" you can check the boxes next to the scopes and they will appear in this box. You may then copy that to your clipboard and paste it in to the required field for your application.

image2019-1-7_11-22-31.png

 

For GraphQL these scopes will also populate in the GraphQL explorer and GraphQL Documentation fields to allow easy generation.

When creating an application the client credentials are only shown on initial creation. Copy this down and keep it in a safe location separate from the client id. If this data is compromised see here

 

Web-Server App

The 'Web-server App', also known as 'Authorization Code Grant', should be very familiar if you’ve ever signed into a web app using your Facebook or Google account

Browser-based/Single Page app

The 'Browser-based/Single Page app', also known as 'Implicit Code Grant', is similar to the 'Web-server App' with two distinct differences It is intended to be used for user-agent-based clients (e.g. single page web apps) that can’t keep a client secret because all of the application code and storage is easily accessible. Secondly instead of the authorization server returning an authorization code which is exchanged for an access token, the authorization server returns an access token

Native app

The 'Native app', also known as 'Resource owner password credentials grant', is a great user experience for trusted first party clients both on the web and in native applications.

Machine-to-Machine app

The 'Machine-to-Machine app', also known as 'Client credentials grant', is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Another example would be a client making requests to an API that don’t require user’s permission

Return to Documentation Home I Return to Sangoma Support