Difference between revisions of "Identity Service"

From LFS Manual
Jump to navigationJump to search
Line 15: Line 15:
 
After Application registration you will receive a Client ID and a Client Secret that you must write down, in order to perform Identity Authentications later on.
 
After Application registration you will receive a Client ID and a Client Secret that you must write down, in order to perform Identity Authentications later on.
  
== Authentication Flows ==
+
== Authentication Grant Types ==
There are 2 flows that can be used, depending on your usage:
+
There are 2 authorization grant types that can be used, depending on your usage:
  
* '''Authorization Code Flow with Proof Key for Code Exchange (PKCE)''', often used with Single Page Applications
+
* '''Authorization Code Grant with Proof Key for Code Exchange (PKCE)''', often used with Single Page Applications
* '''Authorization Code Flow''', used with back end scripts
+
* '''Client Credentials Grant''', used with back end scripts
  
 
=== Single Page Applications ===
 
=== Single Page Applications ===

Revision as of 14:59, 22 February 2022

Introduction

The LFS Identity Service -based on Oauth2- allows you to integrate LFS user authentication into your own website. Identity tokens are also required for using the LFS API. Both purposes are often used together; your website can authenticate an LFS user visiting your own website to perform actions on your website, on behalf of the LFS user. These actions are performed using the LFS API. Though you can also use the LFS API alone via (back end) scripts, to fetch and / or update information related to your own LFS account.

The Application

In order to use the LFS Identity Service, you must always register a so called Application. An Application is a record of your website that will perform LFS User authentications. Though registration of an Application is also required if you only want to use the LFS API in your (back end) scripts.

You must have at least one Application, but it is possible to register multiple Applications used for different purposes.

You can register your Applications at https://www.lfs.net/account/api

An Application is always required for Oauth2 authentications, one for each flow you will be using.

An Application must have a name and one redirect uri pointing to a callback endpoint on your website where authenticated users will return to after authentication. A redirect uri is also required even if you only use the LFS API for your own (back end) purposes. In that case you can enter a fictional redirect uri.

After Application registration you will receive a Client ID and a Client Secret that you must write down, in order to perform Identity Authentications later on.

Authentication Grant Types

There are 2 authorization grant types that can be used, depending on your usage:

  • Authorization Code Grant with Proof Key for Code Exchange (PKCE), often used with Single Page Applications
  • Client Credentials Grant, used with back end scripts

Single Page Applications

explanation here

Back End Scripting

explanation here

Usage

examples

Single Page Applications

example here

Back End Scripting

example here