The common endpoints of the OAuth 2 server are:
|SSO (Single Sign On) dialog|
By using an authorization grant, clients can obtain access tokens to use the API:
An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
After acquiring an access token by using any authorization grant the client can use it to access protected API resources. Based on the OAuth 2 spec, the following grants are supported:
This grant is used to generate an authorization code that is used to obtain an access token, it authenticates the client directly in the authorization server.
This is one of the commonly used grants, is a simplified flow based on authorization code and allows third party applications to use the API resources on behalf of the user. This grant authenticates a user in a protected server (api.smartenit.io) and then redirects the user agent based on the application configuration. This protects the user credentials and guarantees that they are exposed only to protected server and provides restricted access tokens to third parties based on the application configuration and the user role. The implicit grant involves an Authorization UI to authenticate the user in the protected server:
Resource Owner Password Credentials
This grant is meant to be used with user interaction, and it requires user credentials to authenticate an user. As this grant exposes user credentials, it must be used in conjunction with the client credentials grant. So in order to use this grant, the HTTP client must authenticate first using the client credentials to verify that is a trusted client, then the user credentials will be verified and an access token will be issued based on the user role permissions stored in the application configuration.
This grant is meant to be used by trusted clients like native mobile applications or web applications such as the Smartenit dashboard. This grant authenticates a trusted client and generates an access token with restricted permissions. This is useful to start using the API with restricted permissions like creating new users.