4

We have used the API of some organization for some time, but now they are starting to use OAuth2 for authentication. Their API is completely used programmatically by our application. So now we have to authenticate with OAuth2 so we can use their API again.

I am a little confused about this authentication process. Is there a way so one can authenticate with OAuth programmatically? It says that when authenticating the user will be asked to login before continuing with authentication, how do you achieve this logging in only from code? Or do you need to authenticate first using browser and then use the access token for further requests from the application. What is the typical process of OAuth2 authentication for this scenario?

EDIT: There is only one user that is the account used for our application for accessing their data. That user is registered on their end as the consumer of the API.

wdc
  • 2,623
  • 1
  • 28
  • 41
  • What does your application or the part that calls the api do? Is it some background or user-independent job or is the api called on behalf of the user? Does the api provider even know the user or require some SSO login e.g. via Google, Facebook etc.? – Thomas Jul 17 '19 at 09:17
  • 1
    Without knowing what you really need: in general, OAuth certainly can be used programmatically (without user interaction). – Michael Jul 17 '19 at 09:18
  • @Thomas API is used to access some xml responses from their server which we parse and it is a scheduled job which is done every day at some time. There is only one user which is the account used for our application, there are no other users, so API provider knows about our account, it is registered as a consumer of the API on their end. – wdc Jul 17 '19 at 09:23
  • 3
    Well, in that case I'd say you'd either need the "password" flow or the "client credentials" flow (you can look those up). Which fits your needs depends on how the api is configured: if your application is just a "user" from the api's point of view then I'd say use the "password" flow (the api should provide some login mechanism for that - you'd log in to get the access token which you send back during subsequent requests) - if your application is a service provider (client) the "client credentials" flow should be sufficient (if the api supports it). – Thomas Jul 17 '19 at 09:28
  • @Thomas From what is said in his question and comments, I would assume he wants to use the client_credentials flow. – Turtle Jul 17 '19 at 09:31

2 Answers2

6

You are confusing different OAuth flows. The flow where an user authenticate is usually the authorization_code flow, whereas the one you want to use should be the client_credentials flow.

Let's call your application 'A' and the organization whose service you're consuming 'B'.

In the client_credentials flow, A will send his client_id and client_secret to B's authorization server. This server will return an access token that you can now use to call B's resource server (the service itself). 

+---------------+          +------------------+
| Application A |    1     | Authorization    |
|               +----------+ serveur          |
+---------------+    2     +------------------+



+---------------+          +------------------+
| Application A |    3     |Resource Server   |
|               +----------+                  |
+---------------+    4     +------------------+
  1. Token request with client_id and client_secret
  2. Token response: json with an access_token
  3. Service request with the header "Authorization: Bearer "
  4. Service response as usual.

The token request usually had this format:

POST /token HTTP/1.1
Host: authorization-server.com

grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

But some may opt to enforce the other option: passing the client infos in the authorization header:

POST /token HTTP/1.1
Host: authorization-server.com
Authorization: Basic base64(client_id:client_secret)

grant_type=client_credentials

Base64 is here the function, not the literal string.

Turtle
  • 1,626
  • 16
  • 26
  • client_credentials flow seems to replace userId with clientID. My API relies on knowing who the user is(their email), and there might be hundreds of users working programmatically. How can I handle such a scenario? – kravb Jul 14 '23 at 12:10
  • @kravb You could use a JWT as your access_token, in which you would put the email address. – Turtle Aug 16 '23 at 09:41
0

I upvoted both the question and and Turtle's answer. I think anyone who has looked up this question like I have would also benefit from:

https://auth0.com/docs/authorization/flows/which-oauth-2-0-flow-should-i-use

There are different flows. Think of them in box / handshake diagrams before code.

bbuck
  • 129
  • 10