DRACOON Cloud-Status:

Jetzt verfügbar:  VirenschutzMehr Infos

Beiträge in diesem Abschnitt

OAuth 2.0 example

  • Aktualisiert
Folgen

Introduction

The DRACOON API is protected by OAuth. For information about OAuth, see: https://oauth.net/2, https://tools.ietf.org/html/rfc6749

Before you can start to use OAuth, you have to create an OAuth client. Article OAuth 2.0 Client Registration describes how to create an OAuth client.

 

OAuth endpoints

- Authorization endpoint: https:/[host]/oauth/authorize
- Token endpoint: https://[host]/oauth/token

 

Authorization code flow example

This flow is for applications where users don't want to share their credentials with an application. Instead of requesting authorization directly, the application directs the user to an authorization server where the user authorizes the application. Afterward, the user is redirected back to the application with an authorization code that can be used to retrieve an access/refresh token.

See: https://tools.ietf.org/html/rfc6749#section-4.1

1Create/build authorization URL

The following parameters must be added to the authorization URL:

  • response_type=code
  • client_id=example-client (Your client ID.)
  • redirect_uri=https://app.example.com/oauth/cb (Your registered redirect URI.)
  • state=xyz (A string you can use to map authorization request and callback.)

Result:

https://dracoon.team/oauth/authorize?response_type=code&
   client_id=example-client&
   state=xyz&
   redirect_uri=https%3A%2F%2Fapp%2Eexample%2Ecom%2Foauth%2Fcb

2Open authorization URL in the browser

To allow a user to authorize your app, he/she must be sent to the authorization server. (The URL should be opened in the system browser. An integrated web view is not recommended.)

3Receive authorization callback and extract code

After the user has authorized your app, you receive a callback to the registered redirect URI, which contains the authorization code. It might look like this:

- Web app: https://app.example.com/oauth/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

(- Mobile app: app-example://oauth/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz)

4Exchange code for tokens

To get an access/refresh token, you must use the token endpoint.

Request:

(You must use your client ID and client secret to authenticate. See: https://en.wikipedia.org/wiki/Basic_access_authentication)

POST /oauth/token HTTP/1.1
Host: dracoon.team
Authorization: Basic ZXhhbXBsZS1jbGllbnQ6ZXhhbXBsZS1zZWNyZXQ=
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=SplxlOBeZQQYbYS6WxSbIA&
redirect_uri=https%3A%2F%2Fapp%2Eexample%2Ecom%2Foauth%2Fcb

Response:

Status: 200 OK
Content-Type: application/json

{
  "access_token": "b1b735fe-4767-3299-9b37-594f512cf553",
  "token_type": "bearer",
  "refresh_token": "2f3a47a6-b5f4-4761-e99f-badf7011425b",
  "expires_in": 3599,
  "scope": "all"
}

5Call API

After you have received the access token, you can call a DRACOON API. The access token must be supplied in the authorization header. (The refresh token can be used to retrieve a new access token. See: https://tools.ietf.org/html/rfc6749#section-6)

Request:

GET /api/v4/nodes HTTP/1.1
Host: dracoon.team
Authorization: Bearer b1b735fe-4767-3299-9b37-594f512cf553

 

Password flow example

This flow is for application/scripts where there is a high degree of trust. It allows the application/script to directly get access/refresh tokens with the user's credentials.

Notice: Neither RADIUS nor OpenID Connect credentials can be used here. Furthermore, this flow does not work if two-step authentication is used.

See: https://tools.ietf.org/html/rfc6749#section-4.1

1Retrieve tokens

To get an access/refresh token, you must use the token endpoint.

Request:

(You must use your client ID and client secret to authenticate. See: https://en.wikipedia.org/wiki/Basic_access_authentication)

POST /oauth/token HTTP/1.1
Host: dracoon.team
Authorization: Basic ZXhhbXBsZS1jbGllbnQ6ZXhhbXBsZS1zZWNyZXQ=
Content-Type: application/x-www-form-urlencoded

grant_type=password&
username=example-username&
password=example-password

Response:

Status: 200 OK
Content-Type: application/json

{
  "access_token": "35feb1b7-47b3-6799-3297-f55942cf5153",
  "token_type": "bearer",
  "refresh_token": "47a2f3a6-f4b5-7641-9fe9-ba011df7425b",
  "expires_in": 3599,
  "scope": "all"
}

2Call API

After you have received the access token, you can call a DRACOON API. The access token must be supplied in the authorization header. (The refresh token can be used to retrieve a new access token. See: https://tools.ietf.org/html/rfc6749#section-6)

Request:

GET /api/v4/nodes HTTP/1.1 
Host: dracoon.team Authorization: Bearer 35feb1b7-47b3-6799-3297-f55942cf5153

If you are looking for further examples, this blog post shows you how to use the password flow with PowerShell, Java, and cURL.

Verwandte Beiträge

Kommentare

0 Kommentare

Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.