Qeo Open Source Project Documentation : Using OAuth 2.0 to Access Qeo Rest API

Using OAuth 2.0 to Access Qeo Rest API

Qeo uses the OAuth 2.0 protocol to authorize applications to access the Qeo Rest API on behalf of a Qeo administrator. OAuth permits an application to do this, without the administrator having to share its credentials (typically, a username and password pair) with the application. OAuth is a widely implemented protocol, used by companies (Facebook, Twitter, Google, Microsoft, Dropbox …) to protect their APIs.

The Qeo OAuth server uses OpenID to authenticate specific Qeo administrators. Any OpenID provider that implements the OpenID protocol correctly, can be used. The OAuth server provides an OpenID selection page that can be bypassed if the application provides the OpenID provider.

The Qeo OAuth server supports the following grant types:

  • Authorization Code Grant
  • Implicit Grant

Implicit vs. Authorization Code

The Implicit Grant type immediately provides the client with a token to access the Rest API. After this token is expired, the user will have to log in again to give the client access to the Rest API.

The flow of the Authorization Code Grant type is more complex, as the client first receives an authorization code which the client can exchange for an access token. At the same time, the client receives a refresh token which can be used to retrieve a new access token without any further user interaction.

The Implicit Grant type is more suitable for applications that need short time access to the Rest API. If your application want to access the Rest API over a longer period of time, the Authorization Code grant type might be more suitable for you.

More details on the differences between the two grant types can be found in RFC 6749.

Overview

An in depth overview is given in the following pages:

Attachments:

oauth2-slide1.png (image/png)
oauthorization.png (image/png)