Search code examples
javaauthenticationoauthoauth-2.0meetup

Programmatic authentication with oauth2

We have used the API of some organization for some time, but now they are starting to use OAuth2 for authentication. Their API is completely used programmatically by our application. So now we have to authenticate with OAuth2 so we can use their API again.

I am a little confused about this authentication process. Is there a way so one can authenticate with OAuth programmatically? It says that when authenticating the user will be asked to login before continuing with authentication, how do you achieve this logging in only from code? Or do you need to authenticate first using browser and then use the access token for further requests from the application. What is the typical process of OAuth2 authentication for this scenario?

EDIT: There is only one user that is the account used for our application for accessing their data. That user is registered on their end as the consumer of the API.

Solution

  • You are confusing different OAuth flows. The flow where an user authenticate is usually the authorization_code flow, whereas the one you want to use should be the client_credentials flow.

    Let's call your application 'A' and the organization whose service you're consuming 'B'.

    In the client_credentials flow, A will send his client_id and client_secret to B's authorization server. This server will return an access token that you can now use to call B's resource server (the service itself). 

    +---------------+          +------------------+
| Application A |    1     | Authorization    |
|               +----------+ serveur          |
+---------------+    2     +------------------+



+---------------+          +------------------+
| Application A |    3     |Resource Server   |
|               +----------+                  |
+---------------+    4     +------------------+
    1. Token request with client_id and client_secret
    2. Token response: json with an access_token
    3. Service request with the header "Authorization: Bearer "
    4. Service response as usual.

    The token request usually had this format:

    POST /token HTTP/1.1
Host: authorization-server.com

grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

    But some may opt to enforce the other option: passing the client infos in the authorization header:

    POST /token HTTP/1.1
Host: authorization-server.com
Authorization: Basic base64(client_id:client_secret)

grant_type=client_credentials

    Base64 is here the function, not the literal string.