Zum Inhalt

Authorize your backend with OAuth2

Authorize your backend with OAuth2

Introduction

If you like to authorize a backend software you are able to 

  • authorize the backend without giving away your username and password

  • limit the scope of what actions the backend can do in your name.

In order to do this we offer you to create OAuth2 clients that can be used with the OAuth2 Client Credentials Grant Flow.

Managing OAuth clients

You can manage your OAuth clients by using the OperatorAPI: https://operatorapi-int.blueid.net/operatorapi/apidocs/index.html

It is possible to create, list and delete your OAuth clients.

You can limit the access rights of the OAuth client to the following scopes:

scope description
tokens:create permission to create new BlueID tokens
tokens:read permission to list and read the issued BlueID tokens
tokens:delete permission to revoke a BlueID token
devices:read permission to list and read device information (MobileDevice and SecuredObject)
sync permission to download token and revocation data for online SecuredObjects
Retrieving the OAuth token

When you create a new OAuth client you will receive a clientId and a clientSecret. 

This information must be securely stored at the backend service.

You can use the clientId and clientSecret to retrieve a OAuth token with a simple REST call:

curl --user client_id:client_secret --data "grant_type=client_credentials" https://\<operatorapi>/oauth/token

This will return a JSON file containing the OAuth token. 

Accessing a resource with a OAuth token

You can use the OAuth token for a while to access the restricted resource:

curl -H "Authorization: Bearer \<your_oauth_token>" https://\<operatorapi>/\<resource>

When the resource returns the status code 401 or 403 please retrieve a new OAuth token.