Smartenit uses OAuth 2 to provide secure and standardized access to resources. OAuth 2 uses access tokens to provide temporary access to protected resources without using directly the application or user credentials. Access tokens have a lifetime configured by the issuing application, also the OAuth 2 server will generate refresh tokens that should be used to obtain new access tokens after these have expired.
The common endpoints of the OAuth 2 server are:
| Token endpoint | https://api.smartenit.io/v2/oauth2/token |
| Authorization endpoint | https://api.smartenit.io/v2/oauth2/authorize |
| SSO (Single Sign On) dialog | https://api.smartenit.io/v2/oauth2/authorize/dialog |
By using an authorization grant, clients can obtain access tokens to use the API:
An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
After acquiring an access token by using any authorization grant the client can use it to access protected API resources. Based on the OAuth 2 spec, the following grants are supported:
Grants
Authorization Code
This grant is used to generate an authorization code that is used to obtain an access token, it authenticates the client directly in the authorization server.
Implicit
This is one of the commonly used grants, is a simplified flow based on authorization code and allows third party applications to use the API resources on behalf of the user. This grant authenticates a user in a protected server (api.smartenit.io) and then redirects the user agent based on the application configuration. This protects the user credentials and guarantees that they are exposed only to protected server and provides restricted access tokens to third parties based on the application configuration and the user role. The implicit grant involves an Authorization UI to authenticate the user in the protected server:
Resource Owner Password Credentials
This grant is meant to be used with user interaction, and it requires user credentials to authenticate an user. As this grant exposes user credentials, it must be used in conjunction with the client credentials grant. So in order to use this grant, the HTTP client must authenticate first using the client credentials to verify that is a trusted client, then the user credentials will be verified and an access token will be issued based on the user role permissions stored in the application configuration.
Client Credentials
This grant is meant to be used by trusted clients like native mobile applications or web applications such as the Smartenit dashboard. This grant authenticates a trusted client and generates an access token with restricted permissions. This is useful to start using the API with restricted permissions like creating new users.
Next Steps
- Explore OAuth 2 examples
- Checkout the API reference for REST-based APIs
- Check the API reference for Real-time Messaging APIs