This is the sixth post in our topical series on Authentication and Authorization for OCLC web services. In our previous posts, we discussed Access Tokens and the purpose they serve in OCLC’s web service infrastructure. We enumerated several flows which can be used to obtain an Access Token, and posted most recently on the Explicit Authorization Code flow. This post will focus specifically on another of those flows: the User Agent or Mobile flow.
Our implementation treats them as a single flow. But the distinguishing feature is that the client application that needs to get data from OCLC’s web services cannot keep the WSKey’s secret secure. This can happen because all communication happens in a client like a web browser or on an end user’s mobile device. And in either case, you as the developer of the application cannot control the environment in which the API key is operating.
Note: This diagram simplifies the interaction to the client application perspective and removes the details of what happens at the OCLC Authorization Server. More on our "Cooperative Authorization server" in a future post.
Unlike the Explicit Authorization Code Flow, getting an Access Token using the User Agent or Mobile Flow is a single step process. The client must request an AccessToken by building a url to the Authorization Server’s authorization code endpoint that contains the following information:
Then client must redirect the user’s web browser to this URL.
https://authn.sd00.worldcat.org/oauth2/authorizeCode? client_id=jdfRzYZbLc8HZXFByyyLGrUqTOOmkJOAPi4tAN0E7xI3hgE2xDgwJ7YPtkwM6W3ol5yz0d0JHgE1G2Wa &authenticatingInstitutionId=128807&contextInstitutionId=128807 &redirect_uri=http%3A%2F%2Flibrary.worldshare.edu%2Ftest.html&response_type=token&scope=platformConfig
Once the user is redirected they are presented with a login screen in which they must give a valid username and password combination. If the user successfully logs in then the OCLC Authorization Server will redirect the user’s web browser back to the specified redirect URL and pass the information about the Access Token to the client via a URL hash.
http://library.worldshare.edu/test.html#access_token= tk_Kebz4BpEp9dAsghA7KpWx6dYD1OZKWBlHjqP&token_type=bearer &expires_in=1199&expires_at=2013-08-23 18:45:29Z&principalID=cpe4c7f6-f5a4-41fa-35c9-9d59443f544p &principalIDNS=urn:oclc:platform:128807&contextInstitutionId=128807
The second scenario is if you were building a native mobile application that allowed a user to view their checked out items, place holds or renew materials. Like the book request application, this app needs to log a user in to your application. To do this the app needs to open a web browser and redirect the user to the appropriate login page. Once the user is logged in then the app will retrieve the user’s account information and display it.
For more information, please take a look at our updated Authentication and Authorization documentation.
The OCLC Developer Network supports the use of OCLC Web Services—a set of tools and APIs that expose data and services for WorldCat and our member libraries and partner institutions or companies. learn more »
© 2010 OCLC Domestic and international trademarks and/or service marks of OCLC Online Computer Library Center, Inc. and its affiliates