-
Notifications
You must be signed in to change notification settings - Fork 1
User Authentication
API calls that view non-public data, or modify data, are protected by OAuth 2.0.
Use the OAuth 2.0 Implicit Grant flow to request an authorization token, and supply this as a .
We recommend you get things working first with a local ABE instance, or on the development server.
- Redirect the user to
/oauth/authorize
, with the query parametersresponse_type=token
, andredirect_uri
. for example,http://abe.instance/ouath/authorize?response_type=token&redirect_uri=http://localhost:3000/oauth/callback
. (The production instance also requires aclient_id
parameter.) - The user signs in and authorizes the app.
- ABE redirects the user agent to the URL specified as the value of
redirect_uri
, with a hash that specifies the access token and a token type of bearer. For example,http://localhost:3000/oauth/callback#access_token=…&token_type=bearer
. (The hash will contain additional parameters, so you need to extract the access token in a general way, for example using the regular expression[#&]access_token=([^&]+)
.) - Supply this token in subsequent API calls:
Authorization: Bearer {access_token}
.
ABE also tries to set a cookie, so you may not need to present the bearer token. This hasn't been fully tested with cross-origin applications.
Ask the ABE development team to create an ABE App for you. You will need to supply a list of redirect URI prefixes. (For the example above, you could supply either http://localhost:3000/oauth/callback
or just http://localhost:3000/
.) You will receive a client id, for use in the /oauth/authorize
call above.
/user
gives information about the currently-authorized user.