Authentication for Sandbox APIs
This guide provides information relative to getting JSON Web Token (JWTs) from our IdentityServer using either Client Credentials or Authorization Code Flow.
Client Credentials Flow
Client Credential Code Flow is a server-to-server flow typically used for backend applications where the user is not directly involved. This flow is suitable for situations where an application needs to access its own resources or services, not on behalf of a user, but under its own identity.
Key Characteristics
Participants: This flow involves two parties - the client application and the authentication server.
Usage: Ideal for accessing a service's API to utilize its own resources.
Authentication: The client authenticates with the authorization server using its own credentials, like a client ID and client secret.
Token: Upon successful authentication, the authorization server issues an access token.
Security: Since user involvement is absent, this flow is not susceptible to attacks that exploit user interaction, such as phishing.
Process
The client sends a request to the authorization server with its credentials.
The server validates these credentials.
If valid, the server issues an access token.
The client uses this token to access the protected resources.
Authorization Code Flow
Authorization Code Flow is designed for applications that are capable of securely storing secrets and are typically used in scenarios involving end-users. This is one of the most common and secure methods to enable applications to access an API on behalf of a user.
Key Characteristics
Participants: Involves three parties - the client application, the end-user, and the authentication server.
Usage: Suited for applications needing to perform actions on behalf of a user.
Redirection: Users are redirected to an authorization server for login and consent.
Tokens: Involves two tokens - an authorization code and an access token.
Security: Offers enhanced security through the separation of roles and an additional layer where the user's credentials are not seen by the application.
Process
The user initiates the flow by requesting access to a resource.
The application redirects the user to an authentication server.
The user logs in and consents to the application's access request.
The server issues an authorization code to the application.
The application then exchanges this code with the server for an access token.
Finally, the application uses the access token to access the user's resources.
In Summary
The Client Credential Code Flow is streamlined for server-to-server interactions without user involvement, focusing on service-to-service authorization.
In contrast, the Authorization Code Flow is structured for applications requiring user involvement, where the application acts on behalf of the user, offering a higher level of security due to its indirect handling of user credentials.
