-
Notifications
You must be signed in to change notification settings - Fork 3
Authentication
The RamBase API is secured using the OAuth 2.0 standard. Only registered clients can access the API. Depending on the application being built there will be different authentication flows to choose between.
The RamBase API uses two-factor authentication where possible.
There are 4 different authorization flows you can choose between:
Server-side web application flow: This flow is used when the client is a web application server. Client secret and refresh token should never be leaked to the browser (or native client) where the user may have access to it. When a client log in on the login page provided by RamBase you get an authorization code which needs to be exchanged for an access token. Another name of this flow is Authorization code flow. You can use this flow even if your application is not a server-side web application if the application uses a backend which is a server-side application.
Client side web application flow: This flow is also called Implicit Grant Flow. It should be used when only temporary access to data is required. The oauth client is running in the browser (using javascript/flash/silverlight). Refresh token’s is not allowed in this flow, but we support sliding expiration of the access token. When you use this flow you don't get an authorization code, and you don't have a client-secret.
Resource owner password flow: When using this flow you are exchanging the username/password with an access token directly. Because the resource owner's password is exposed to the application, this flow should be used sparingly. It is recommended only for first-party "official" applications released by the API provider (JHC), and not open to wider third-party developer communities. Refresh token is not allowed, but we support sliding expiration.
Client credentials flow: This flow is used when the client is acting on behalf of the app itself. Typically a server login. Client id and client secret is exchanged for an access token. It is extremely critical that the client secret and access token is kept highly confidential. Refresh tokens is not supported. If the access token expires the server will ask for a new access token directly without using a refresh token.