Security

Cloud4all/GPII offers secure access to user preferences provided by the Cloud-Based FM by implementing OAuth 2.0 Authorization Framework.

OAuth 2.0 Flow

The OAuth 2.0 specification provides authentication for a number of different usage scenarios; for Cloud4All, we will be following the web application support covered by the “Authorization Code” grant type.

Accessing a user’s preferences using OAuth 2.0 follows these steps:

  1. Redirect the user to request preferences access.
  2. Cloud4Alll redirects back to your site.
  3. Exchange the authorization code for an access token.
  4. Use the access token to access the user’s preferences.

Step 1: Redirect the user to request preferences access

The first step is to redirect the user’s browser to Cloud4all/GPII servers to ask the user for authorization.

GET <authorization-server>/authorize

Name Description
response_type The value must be set to “code”.
client_id The solution id.
redirect_uri The URL on your site where users will be sent after authorization.
state An unguessable random string. It is used to protect against cross-site request forgery attacks.

Step 2: Cloud4all/GPII redirects back to your site

If the user authorizes the request for access to their preferences, Cloud4all/GPII will redirect the user’s browser back to the provided redirect_uri, passing the following parameters:

Name Description
code The authorization code.
state The value of the state parameter specified in Step 1 above.

The client should check the value of the state parameter against the one that it provided. If the states do not match, the process should be aborted.

Step 3: Exchange the authorization code for an access token

Once the client has the authorization code, it can make a direct call (not using browser redirects) to the Cloud4all/GPII server to exchange the authorization code for an access token.

POST <authorization-server>/access_token

Name Description
grant_type The value must be set to “authorization_code”.
code The authorization code.
redirect_uri Must match the redirect_uri specified in Step 1.
client_id The solution id.
client_secret The solution client_secret. Confidential shared secret, used to verify the identity of the solution.

Response:

The /access_token endpoint will respond with a JSON document of this form:

{

“access_token”: “<access_token>”,

“token_type”: “Bearer”

}

 

For example:

{

“access_token”: “8ea3457bf283db5d34ea5a4079fa36b2″,

“token_type”: “Bearer”

}

Step 4: Use the access token to retrieve the user’s preferences

With the access token, we can now retrieve the user’s preferences.

GET <Cloud-Based Flow Manager>/settings

Provide the access token using an “Authorization” header:

Authorization: Bearer <access_token>

For example:

Authorization: Bearer 8ea3457bf283db5d34ea5a4079fa36b2