Authorize your backend with OAuth2
Authorize your backend with OAuth2
Introduction
If you like to authorize a backend software you are able to
-
authorize the backend without giving away your username and password
-
limit the scope of what actions the backend can do in your name.
In order to do this we offer you to create OAuth2 clients that can be used with the OAuth2 Client Credentials Grant Flow.
Managing OAuth clients
You can manage your OAuth clients by using the OperatorAPI: https://operatorapi-int.blueid.net/operatorapi/apidocs/index.html
It is possible to create, list and delete your OAuth clients.
You can limit the access rights of the OAuth client to the following scopes:
| scope | description |
|---|---|
| tokens:create | permission to create new BlueID tokens |
| tokens:read | permission to list and read the issued BlueID tokens |
| tokens:delete | permission to revoke a BlueID token |
| devices:read | permission to list and read device information (MobileDevice and SecuredObject) |
| sync | permission to download token and revocation data for online SecuredObjects |
Retrieving the OAuth token
When you create a new OAuth client you will receive a clientId and a clientSecret.
This information must be securely stored at the backend service.
You can use the clientId and clientSecret to retrieve a OAuth token with a simple REST call:
curl --user client_id:client_secret --data "grant_type=client_credentials" https://\<operatorapi>/oauth/token
This will return a JSON file containing the OAuth token.
Accessing a resource with a OAuth token
You can use the OAuth token for a while to access the restricted resource:
curl -H "Authorization: Bearer \<your_oauth_token>" https://\<operatorapi>/\<resource>
When the resource returns the status code 401 or 403 please retrieve a new OAuth token.