Prerequisites
- You already have a public app or an in-house app and that app has been approved or connected.
- You already know about OAuth 2.0 Authentication and Authorization or see link OAuth 2.0
- You already know about OAuth 2.0 Auth flows or see link OAuth 2.0 Auth flows
Your client app has its own credentials to be authenticated in the Tiki Marketplace. But to access protected resources inside the Tiki Marketplace through APIs, your client app needs access token to pass the access token (not client secret) along with that API request.
To obtain an access token, your client app needs to join auth flows to exchange authorization with other parties (authorization server, resource owner). Your client app acts as the client in auth flows. So, your client app must take some action to complete auth flows before getting an access token.
The following documentation are guides and code examples (for Java) to implement auth flows.
These guides are organized based on application types and several of the most common scenarios with that type of application. It helps you easily choose the appropriate auth flow and the guides to implement that auth flow.
Firstly, you determine what type of application you are using? Public or Inhouse ?
Then, you can check several of the most common scenarios we listed with that type of application. If these conditions are matched, you can consider using our guides to implement auth flow for your client app.
Auth flow guide for public application
With the public app, you may have to implement 3 different auth flows for various scenarios. The following guides help you implement auth flows for your client app based on scenarios to obtain access token.
1. Authorization code flow
Scenarios: Your client app doesn’t have an access token, or the access token is not enough permission that the client app needs. For example:
- A new seller accesses the client app and the client app does not obtain the access token of that seller yet.
- Access token has been revoked.
- Access token is insufficient for the client app’s needs, and your client app must request authorization from the user with new scope to obtain additional permission.
2. Refresh token
Scenarios: Your client app has access token and refresh token but the access token has expired. Your client app uses a refresh token to obtain an access token without requesting authorization from the user.
3. Client credentials
Scenarios: Your public app may have its own resource in Tiki Marketplace Platform. So, your client app can access its resources by authenticating itself. An important example of app resource is event queues.
Auth flow guide for in-house application
With the in-house app, you may have to implement only auth flow to obtain an access token – client credentials
Client credentials
Scenarios: Since your inhouse app has connected to the seller’s store, it will have all the permissions the seller has. So, your client app can access all the resources of the seller by authenticating itself.
What client app must do?
First, It is very important that you read the OAuth 2.0 Auth flows to understand the role of the client app.
Then, you need declare your client app’s credentials and OAuth2 provider configuration. These configurations comprise:
- Client app credentials – client id and client secret.
- OAuth2 provider endpoints – auth endpoint, token endpoint, user info endpoint and token endpoint authentication method.
You can build a scratch app without using libraries and frameworks by making an appropriate API request to exchange authorization with an authorization server (OAuth2 provider). In the OAuth2 Auth flows document above, we also provide details of the request URL and API request to interact with the OAuth2 provider.
However, it’s better to use the OAuth2-client library (CLIENT LIBRARY, NOT OAUTH2 PROVIDER) to perform the authorization code flow for your client app safely and time-saving, as well as remove boilerplate from your code for maintenance.
OAuth2 Client libraries are available in a variety of languages. For example
- With Java, we have Spring Security, Restlet Framework (draft 30), oauth2-essentials, Google OAuth Java Client, …
- With PHP, we have league/oauth2-client, oauth-api, …
- With .Net we have OWIN Middleware, …
- And many other languages
| Language/ Framework | Code sample | Link Source Code | Libraries |
|---|---|---|---|
| Java/Spring | Authorization code flows | README.md (Click to me) | Spring Security Spring OAuth2 Client |
In the cases where you don’t want to use OAuth2 Client libraries or only implement client credentials grant for an in-house app, see the following tutorials. or link Github