Migration OAuth2 Best Practices
Old World Authentication
The old world authentication is a hybrid oauth2 implementation which has an endpoint that looks like this
/net2/oauth2/
Client applications are identified by a
ConsumerKey
andSecret
pair. Sometimes these are referred to asclient_id
andclient_secret
.Access Tokens in the old world have a 12 months expiry period and refresh tokens live forever. This is typically not a good security practice and goes against the Oauth2 standards.
Tokens that are being used by clients today are issued for WSADMINs, meaning all tokens have administrative access.
New World Authentication
Oauth2
The Turium Enigma new Oauth2 implementation follows the established Oauth2 Authorization Framework RFC : https://tools.ietf.org/html/rfc6749
This new service has an endpoint of
/oauth2/v0/token
Unlike the old world auth, access tokens have a 1 hour expiry and refresh tokens have a 6 months expiry. This is in accordance to the best practice of using short lived tokens.
This would mean that clients would need to perform token management.
Getting Started
Getting clientID / clientSecret
Work with the Turium Enigma implementation team to obtain a new oauth2
client_id
andclient_secret
and to define the scope of client’s application.Process will take no longer than 48 hours.
Implementation Team will respond with new
client_id
,client_secret
, company’srefreshToken
andexpiry date
.Client stores and configures application with this info.
Client applications should store the following tokens and data in their application.
Refresh Token
: This token can change although most of the time this value is the same. Client applications should treat all returned refresh tokens as new values and overwrite the stored values with the new values you get from the response.Refresh Token Expiry
: This date should be checked by a daily script and ensure that a refresh_grant is made to keep the refresh token alive indefinitely. If company policy dictates that the token should be allowed to expire, then you can skip this step. Once a refresh token has expired, clients would need to contact Turium Enigma’s Implementation team to get a new company token.
Token Management
Calling APIs with
accessTokens
All APIs within Turium Enigma require the calling application present an
accessToken
in the Header using the “Bearer” keyword.Example:
Refreshing expired
accessTokens
Since
accessTokens
have a one hour expiry, clients would need to get a newaccessToken
before any API call is made.In order to obtain a new
accessToken
, clients should call Oauth2 using therefresh_grant
and providing the oldrefreshToken
and other additional fields.In the error handling code, clients need to handle
accessToken
expiry errors. If theaccessToken
is expired in the middle of processing, the following should happen:Code should call Oauth2’s
refresh_grant
to get a newaccessToken
Overwrite the existing
refreshToken
with the new one.Update
expiry date
forrefreshToken
Retry the API call.
Handling errors
There are a few error codes that client applications should be aware of.
403 Forbidden
: Requesting for tokens for users who cannot be requested for. Usually for companies that are not authorized by their administrators.The bulk of errors will be returned as 400 errors and the response contains a
code
anddescription
. Client applications should look for these values to determine what to do next.
CodeDescComment05
Incorrect credentials.
clientID / secret not correct, or authtoken/password not correct
10
Account is disabled
14
Account is locked
16
User lives elsewhere
There will be a geolocation field in the response to this error message. Use this as the base URL and retry the call.
54
Invalid Scope
requested scope exceeds what is permitted.
Last updated