Authenticating Using OAuth

Authenticating Using OAuth

Introduction

The platform currently supports OAuth authentication using either the client credential or authorisation code grant types.


Please see  https://oauth.net/2/grant-types/  for more details on the various OAuth grant types.
With both grant types, the end result is an access token that should be included in the Authorization header for API calls.

Creating an OAuth User

Before authenticating, it is necessary to create an OAuth user.

This can be achieved by clicking on the "Create OAuth User" button in User Manager.



The available scopes can be seen in the "System Permissions" section for each user and are referred to as "Resources". The scope name is displayed in light grey underneath the resource title.

Using the Client Credentials Grant


When the client credentials grant is used, API calls will only have access to the resources (companies, users, system permissions etc.) enabled for the OAuth user in question. 

An access token can be produced by sending a POST request to the OAuth token endpoint.

For example:

  1. curl -F"client_id=..." -F"client_secret=..." -F"grant_type=client_credentials" -F"scope=..." https://oauth.custom-gateway.net/token
A successful request will return a JSON encoded object with an access_token field.

Using the Authorization Code Grant


When the authorisation code grant is used, API calls will have access to all resources that the authorising user has access to with the exception of system permissions, which are determined based on the intersection between the OAuth user and the authorising user. 

Many online tools such as Zoho Analytics and Zapier make use of the authorization code grant.

When using such tools use the following values: