Overview
The OAuth 2.0 protocol provides a secure, open, and simple standard for authorizing user resources. Unlike previous authorization methods, OAuth 2.0 authorization does not allow third parties to access the user's account information (such as username and password). This means third-party applications can request authorization for the user's resources without needing the user's username and password.
BambooCloud IDaaS Identity Cloud Platform supports the internationally standardized OAuth 2.0 (opens new window) protocol. Third-party application systems can quickly integrate with the Identity Cloud Platform according to the OAuth protocol, ensuring the security of the entire user login and authentication process.
# Interface Specification
Third-party applications accessing BambooCloud IDaaS via OAuth and calling APIs must adhere to the following rules:
| Rule Item | Description |
|---|---|
| Transmission Protocol | To ensure communication protocol security, the HTTPS one-way handshake transmission protocol is used. |
| Data Format | The data returned by BambooCloud IDaaS to third-party applications is in JSON format. |
| Certificate Requirement | Using HTTPS one-way handshake, third-party applications only need to trust BambooCloud IDaaS. |
# Support for Multiple Grant Types
BambooCloud IDaaS supports various grant types specified in the OAuth 2.0 protocol specification. Developers of third-party application systems can flexibly choose based on their system's actual situation.
| Grant Type | Usage Scenario Description |
|---|---|
| Standard Authorization Code Grant | This is the most secure and commonly used mode for web application integration. The user obtains a code after authorization, and the application exchanges the code for a token. |
| PKCE Grant | For desktop software, mobile apps, etc., where the client cannot securely store a secret and thus cannot use the standard authorization code grant. For scenarios where a secret cannot be used, the PKCE grant can reduce the risk of authorization code interception attacks for public clients. |
| Implicit Grant | This mode omits the step of obtaining a code compared to the standard authorization code grant. It is suitable for browser-based applications. |
| Resource Owner Password Credentials Grant | This mode is not recommended because the client may store the user's password. It is used for highly trusted applications. |
| Client Credentials Grant | The Machine-to-Machine (M2M) mode in the OAuth protocol is a pattern used to achieve authentication and authorization between machines. In M2M mode, one machine authenticates and authorizes on behalf of another without requiring direct user involvement. |
# Terminology
- Resource Owner: The owner of the resources, simply put, the user who owns the data.
- Client: The third-party application, the target application system the user needs to log into.
- Authorization Server: The server responsible for issuing access tokens to third-party applications.
- Resource Server: The server hosting the protected resources.
- Authorization Code: The authorization code.
- Access Token: The access token.
- ClientId: The unique identifier for the application, an ID uniformly issued by the IDaaS platform.
- ClientSecret: The secret key corresponding to the ClientId, used to verify the legitimacy of the application when accessing user resources.
- BambooCloud IDaaS Unified Authentication Center: The Authorization Server, referred to as BambooCloud IDaaS in the following text.
- User Portal: The portal system provided by BambooCloud IDaaS for enterprise users to centrally access third-party applications.