An application willing to make requests to the GeoOp API will have to include an Authorization header with a unique access token so that each request can be authenticated and correct access permissions applied to that application.

The access token can be obtained from the GeoOp Authentication Server via the OAuth 2.0 protocol.

OAuth 2.0

OAuth 2.0 is an open authorisation protocol, which provides a way for a GeoOp user to delegate certain permissions to a third-party application without having to enter their credentials (login/password) via the application interface.

Roles

The protocol defines the following four roles:

  1. Resource Owner – a registered GeoOp user (employee, manager, company, administrator, etc.) or a system service.
  2. Resource Server – a GeoOp web server (https://api.geoop.com) with access to the GeoOp database.
  3. Client – a native or third-party application or website utilising the GeoOp API.
  4. Authentication Server – a GeoOp web server (https://login.geoop.com) responsible for authenticating incoming requests and issuing authorisation codes and access tokens (see below).

Client Types

A client can be one of the following types:

  1. Confidential – a client that is capable of keeping its credentials (client ID and client secret) confidential (e.g. third-party servers with restricted access).
  2. Public – a client that is not capable of keeping client credentials confidential (e.g. mobile/browser applications).

Grant types

The protocol provides four ways for a client to get an access token:

  1. Authorisation Code Grant – a client redirects resource owner to the login page, receives an authorisation code from it via a redirect link and exchanges it for an access token.
  2. Implicit Grant – a simplified (an less secure) method where the client receives the access token via the redirect link.
  3. Resource Owner Password Credentials Grant – the client does not redirect resource owner to the login page and provides a native login form instead. For security reasons, this grant type is not available for third-party applications.
  4. Client Credentials Grant – the client acts as an independent entity (i.e. not on the resource owner's behalf). Therefore, it uses its own credentials to receive the access token.

Using SSL/TLS Security Layer

Since access token acts as a session identifier and is used by the GeoOp Resource Server to load associated resource owner and client identities and permissions, it is crucial that this token is transferred only via a secured connection. Therefore, both the Authentication Server and the Resource Server require all requests to be made via a secured HTTPS connection.

See Also

OAuth 2 Website

RFC 6749 – OAuth 2 Specification

RFC 6750 – Bearer Token Usage Specification