Versions Compared

Old Version 78

changes.mady.by.user Joseph Baxter

Saved on

compared with

New Version 79

changes.mady.by.user Joseph Baxter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
title2. Request Authorisation

Once the client has been added the external client then needs to visit the following page on Rogo. e.g.

https://<your rogo server>/api/authorise.php?response_type=code&client_id=<your client id>tid>&state=<random string>

The ‘state’ parameter is intended to preserve some state object set by the client in the Authorization request, and make it available to the client in the response.  The main security reason for this is to stop Cross Site Request Forgery (XRSF).

An example of this would be a hash of the session cookie or a random value stored in the server linked to the session.


Client is required to login as user linked to the client account created in step 1.


The logged in user will then be asked to authorise the access rights given in step 1 to the client.

An authorisation token will then be generated and returned to the client, for example:

https:///www.example.com?code=a40c0bda3ec51090de84818263039c985f0a44e1&state=xyz

If the client verifies the ‘state’ value returned then it will reject authentication responses that were generated as the result of requests by third party attackers trying to log the user in in the background without the user’s knowledge.

...

Expand
title3. Request Access and Refresh Tokens

Client site then uses Authorisation code to request access token, for example the request:

curl -u <your client id>:<your secret key> https://<your rogo server>/api/requesttoken -d grant_type=authorization_code -d code=a40c0bda3ec51090de84818263039c985f0a44e1

Would get a response like:

Code Block
languagexml
<?xml version="1.0"?>
<response>
    <access_token>2bfbfd8a0d3d2b93bf37a1472a413ed3e1a1d80c</access_token>
    <expires_in>1209600</expires_in>
    <token_type>Bearer</token_type>
    <scope/>
    <refresh_token>9224f41003b7195e306bf9d8fa050b7124bf040d</refresh_token>
</response>


The access token can then be used to access web services until expiry. The refresh token can be used to refresh Access token until expiry.


From now on you can generate new access and refresh token using your current refresh token (saves you having to login an authorise again):

curl -u <your client id>:<your secret key> https://<your rogo server>/api/requesttoken -d grant_type=refresh_token -d refresh_token=9224f41003b7195e306bf9d8fa050b7124bf040d


...

Expand
title4. Web Services

The client can then call the web services with access token in a POST request, for example:

Code Block
languagebash
curl -k https://<your rogo server>/api/coursemanagement?access_token=f35371fc284defeaf3f1d273f73e992a8ce74fc4 -H "Content-Type:text/xml" -d "<courseManagementRequest xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\"https://localhost/api/schema/coursemanagement/managementrequest.xsd\">
    <create id=\"str1234\">
        <name>rogotest</name>
        <description>rogo test</description>
        <school>test</school>
        <faculty>test</faculty>
    </create>
</courseManagementRequest>"


...