Introducing OAuth 2.0 Support
The 4me service now offers support for the OAuth 2.0 Authorization Code flow. This flow makes it possible for developers to have their application ask a user for permission to access 4me on behalf of the user.
When a user grants an application permission, the application gets two temporary access tokens to make use of 4me’s APIs. The access that these tokens give the application is limited to the access that the user has in 4me. This access is further restricted to the scope defined by the 4me administrator who registered the application in 4me.
Administrators can register applications in 4me by going to the Settings console and opening the new ‘Applications’ section. When registering an application, the scope of the application’s access to 4me needs to be defined. Later, when a user gives the application access 4me, the application’s access to 4me will be limited to the access afforded by the user’s 4me roles and this access is further limited to the scope defined by the developer who registered the application in 4me.
After registering the application in 4me, the administrator has the opportunity to copy the client ID as well as the client secret. The client secret will only be displayed this one time, so it is important to copy it and to store it somewhere safe.
With the application registered in 4me, a developer is now able to establish the integration between the application and 4me.
The authorization flow that this integration will rely on works as follows:
- A user clicks on a login or authorization link within the third-party application. The third-party application now needs to retrieve data that the user is allowed to access in 4me.
- The third-party application redirects the user to perform an authorization request against the /oauth/authorize endpoint of 4me to retrieve an authorization code. At this point, the application passes the following information to 4me:
- the client ID of the application record in 4me
- the redirect URI – this is the web address to which the user is sent after access is granted.
- 4me checks if the user has previously authorized the third-party application to access 4me.
If authorization was already provided, the flow continues with step 5.
If not, 4me will show the user an authorization prompt.
- The authorization prompt asks the user to either ‘Deny’ or ‘Allow’ the third-party application access to 4me.
If the user denies, the flow ends.
If the user allows access, this authorization is registered in 4me.
- 4me generates an authorization code and returns this code to the third-party application as part of the redirect URL.
- The third-party application performs an access token request against 4me’s /oauth/token endpoint to request an access token and a refresh token. The following data is provided by the application:
- the client ID of the application record in 4me,
- the client secret of the application record in 4me,
- the authorization code the application received from 4me in step 5, and
- the redirect URI that was provided in step 2.
- 4me then generates a temporary access token and a refresh token.
The access token allows the third-party application to retrieve data from 4me on behalf of the user. An access token is valid only for 1 hour.
The refresh token allows the third-party application to retrieve a new access token and refresh token when the access token expires. A refresh token is valid for 2 weeks.
4me returns these two tokens to the third-party application.
- The third-party application uses the tokens to make 4me API requests.
- 4me returns API responses to the third-party application.
- The third-party application uses the data received in the API responses to render a page for the user or perform a background action.
It is important to point out that after a user has permitted a third-party application to access 4me in step 4, the user is able to see this in the ‘Access & Security’ section when the user opens ‘My Profile’ in 4me.
This is also where users can revoke the permissions they provided to third-party applications. When a user revokes the authorization from an application, the access tokens that the application obtained from 4me for the user immediately stop working.
More information about the OAuth 2.0 Authorization Code flow can be found on the 4me Developer website.