OAuth 2.0 Authorization
Hub implementation of OAuth 2.0 supports several authentication/authorization flow. To access resources of Hub itself and services connected to Hub, a client should obtain an access token. The flow that the client may use depends on:
- What information the client has (service credentials / user credentials).
- Where from the client access resources (from a browser / from the server side / from a standalone application).
What Flow to Use?
You develop... | Flow to use | Required parameters | Additional requirement |
---|---|---|---|
A rich client web application with all authorization logic in browser | Implicit flow | service id | Handle in browser request with a grant from Hub |
A web application with the authorization login on the server side | Authorization Code flow | service id , service secret | Handle request with a grant from Hub server on server side |
A desktop or a mobile application able to request authorization token non-interactively | Refresh Token flow | service id , service secret | Handle request with a grant from Hub server on server side |
A script that needs to access resources on behalf of itself | Client Credentials flow | service id , service secret | None |
A script that needs to access resources on behalf of some user | Resource Owner Password Credentials flow | service id , service secret , username and password | None |
What Information You Should Have
Parameter | Is it required? | Description |
---|---|---|
Client service ID | Always | An identifier (ID) of the service associated with the client in Hub. |
Client service secret | Depends on flow | A secret for the service associated with the client in Hub. |
Scope | Always | An ID of the registered in Hub service associated with the resource server. For example, if the client wants to access issues in YouTrack, it should find out the id of YouTrack service in Hub. The client can access more then one resource server with a single access token. In this case, the Scope is the space-separated list of the IDs of the services registered in Hub. |
Client redirect URI | Depends on flow | An URI at the client application that can handle response from authorization server (Hub). |
Username | Depends on flow | End-user's username, or id, or email. |
Password | Depends on flow | End-user's password. |
Register Client as a Service
To enable authorization you should register your client as a Hub service. You can do it either in
administrative UI or
programmatically.
Basically, you just send POST
request on /services
URL and get credentials of the newly
created service in response.
Sample script for registering client as a service
The following sample script considers Hub to be installed to https://hub.company.com
and a client
OAuth 2.0 service - to https://myservice.company.com
.
Request
POST /api/rest/services?fields=id,secret HTTP/1.1
Host: hub.company.com
Accept: application/json
Content-Type: application/json
{
"name": "My Service",
"homeUrl": "https://myservice.company.com",
"redirectUris": ["https://myservice.company.com/authorized"],
"applicationName": "My Service",
"vendor": "Company Inc.",
"version": "1.0"
}
Response
{
"id": "98071167-004c-4ddf-ba37-5d4599fdf319",
"secret": "eAUyKgVfhSbV"
}
You can later use service's id
and secret
for authorization.
Service in Hub can be either trusted or not. If a service is trusted, then it can access Hub resource servers on behalf of itself. Also, when a user is sent from the trusted service to authorize himself, the user sees no additional warning.