REST API Using oAuth For Authentication

Learn about the FlowWright REST API using oAuth for Authentication

Last published at: July 30th, 2024

FlowWright REST API was traditionally secured using basic authentication with a username and password. With FlowWright, we now support OAuth-based authentication. OAuth is secure and popular with web application developers. Many applications (such as Facebook, LinkedIn, Twitter, HubSpot, SugarCRM, and SalesForce) support OAuth authentication.

What is OAuth?

OAuth is an open standard for access delegation. It is commonly used by Internet users to grant websites or applications access to their information without giving out passwords.

How does FlowWright OAuth work?

The diagram below shows the initial token request using the FlowWright REST APIs.

 

An HTTP POST request is sent to the following URL:

http://localhost:8080/api/token

With the POST request, the following fields and values are sent through the form body:

  • username – FlowWright username
  • password – FlowWright user password

FlowWright REST API will authenticate the user with FlowWright security. If the authentication succeeds, a response will be sent back in JSON format. The response will look as follows:

FlowWright OAuth token request

 

The JSON response contains the following information:

  • access_token – a token for making REST API calls
  • token_type – bearer type token
  • expires_in – expiration in seconds
  • refresh_token – refresh token for requesting tokens in the future
  • refreshTokenExpire – expiration date/time of refresh token in UTC
  • .issued – issued date/time of token in UTC
  • .expires – expiration date/time of token in UTC

Using the “access token” within the above response calls to the REST API can be made.  Call the REST API call just as before, but instead of passing the user name and password for authentication, pass the token as “Bearer” for authentication. Below is a graphic that illustrates the request using the POSTMAN tool:

FlowWright OAuth uses an access token to make REST API calls

 

Once the request is sent, FlowWright validates the token and, if successful, calls the intended REST API call and returns the result in JSON format. In the above case, we called the “getUsers” REST API call; the following JSON response is returned.

JSON response from REST API call

 

By default, “access token” has an expiration of 10 minutes: REST API will return the result “token expired” if used after expiry. To avoid this, you must use the “refresh token” to request a new access token. Below is the process:

FlowWright REST API OAuth refresh token request

 

To request a new token, an HTTP POST request is sent to the same token URL:

http://localhost/cDevWorkflowRESTAPI/api/token

The following information is sent within the request body:

  • grant_type – set the grant type to “refresh_token”
  • refresh_token – pass the refresh token received from the first token call

FlowWright's REST API will validate the refresh token, and if successful, it will return a JSON response with a similar response as before:

 

The new “access token” can now be used to make REST API calls to FlowWright. By default, the refresh token is valid for 30 days. All dates/times used for tokens are in UTC format. The default expiration values for an access token and refresh token can be changed within the “Web.config” file of the FlowWright REST API.

Because most REST APIs are stateless, each call must perform authentication and validation. We have enhanced the REST API to be "stateful" to maintain user sessions. With these enhancements to the REST API, we can achieve higher throughput and performance, shorter execution times, and more efficient development.

These generated OAuth tokens can also be used for authentication in other parts of the FlowWright application, especially in the Microservices and Configuration Manager user interfaces.