Page tree
Skip to end of metadata
Go to start of metadata

Smartenit uses OAuth 2 to provide secure and standardized access to resources. OAuth 2 uses access tokens to provide temporary access to protected resources without using directly the application or user credentials. Access tokens have a lifetime configured by the issuing application, also the OAuth 2 server will generate refresh tokens that should be used to obtain new access tokens after these have expired.

The common endpoints of the OAuth 2 server are:

By using an authorization grant, clients can obtain access tokens to use the API:

An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.

After acquiring an access token by using any authorization grant the client can use it to access protected API resources. Based on the OAuth 2 spec, the following grants are supported:

Grants

Authorization Code

This grant is used to generate an authorization code that is used to obtain an access token, it authenticates the client directly in the authorization server.

Implicit

This is one of the commonly used grants, is a simplified flow based on authorization code and allows third party applications to use the API resources on behalf of the user. This grant authenticates a user in a protected server (api.smartenit.io) and then redirects the user agent based on the application configuration. This protects the user credentials and guarantees that they are exposed only to protected server and provides restricted access tokens to third parties based on the application configuration and the user role. The implicit grant involves an Authorization UI to authenticate the user in the protected server:

oauth_user_agent_flow.png

Resource Owner Password Credentials

This grant is meant to be used with user interaction, and it requires user credentials to authenticate an user. As this grant exposes user credentials, it must be used in conjunction with the client credentials grant. So in order to use this grant, the HTTP client  must authenticate first using the client credentials to verify that is a trusted client, then the user credentials will be verified and an access token will be issued based on the user role permissions stored in the application configuration.

oauth_username_password_flow.png

Client Credentials

This grant is meant to be used by trusted clients like native mobile applications or web applications such as the Smartenit dashboard. This grant authenticates a trusted client and generates an access token with restricted permissions. This is useful to start using the API with restricted permissions like creating new users.

oauth_client_credentials_flow.png

Next Steps

  • No labels