Skip to main content

How do I secure interfaces with OAuth2.0?

Updated

OAuth2.0 is an authentication method that allows access to an application without the need to share a password. You log in to a so-called "authority service," which then issues an access ticket (token). In this case, your d.vinci system serves as the "authority service." This token allows the application to access specific data without requiring a password to be entered in the application.

The advantage of OAuth2.0 is that authentication and functionality can be separated. For example, a user can generate a token with System A, securely transfer it to System B, and use it there. System B does not need to know the password.

OAuth2.0 supports various "flows" (processes). Currently, we have implemented the Client Credentials Flow, which is specifically designed for machine-to-machine communication. Other flows are currently not supported.

Required permission

  • API user | view/edit/create/delete

Proceed as follows

1. Switching an API user to oAuth2.0

Important: Choose an API user who only has the necessary permissions. 

  1. Open the page Users. A list of all users is displayed.
  2. Click on the API user for whom you want to activate OAuth2. The user page with the user's settings is displayed.
  3. Click on one of the edit icons   to edit the data.
  4. Enable the Oauth2 option.
  5. Enter in the field Access Token TTL (minutes) how many minutes the generated token should be valid.
  6. Click the Update button to save the changes.

2. Generating an API token

The API token is required as the "client_secret" and, together with the "client_id" (API user username), is a unique identifier for the API user. It will be used in the next phase to request the access token.

  1. Click the red Generate API token button. A window with the same name opens in the foreground.
  2. Click the Generate API token button. A code will be displayed in the window.
  3. Manually copy the API token and save it in a location where you can easily retrieve it later.

3. Requesting the access token

Using the combination of client_id (API username) and client_secret (API token), the API user authenticates with the OAuth2.0 server. The server verifies the credentials and issues an access token upon successful verification.

Command line example (curl):

curl -X POST "https://jobboard.exampleclient.com/plt/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=" \
-d "client_secret="


4. API call with access token

Use the access token to send requests to the REST API or OData interface.

Command line example (curl):

curl -X GET "https://jobboard.exampleclient.com/restApi/dvinciUsers/" \
-H "Authorization: Bearer " \
-H "Content-Type: application/json"

Related to

Related articles