An app must authenticate for all requests on the APIs. Additionally, all API requests must be made over HTTPS. Calls made over plain HTTP will fail.
OAuth2 is required to authenticate.
After registering an application, the app will authenticate to obtain an access token for a given user.
Currently only a single type of user is envisaged.
Details yet to be worked out. Something similar to what is presented here.
- The client initiates the flow via the user agent and redirects the user to the authorization server (Auth0). Auth0 exposes an authorization API for this purpose. See AuthO documentation for details about redirecting a user using this API.
- Auth0 re-directs the user to a Login screen. The user authenticates (for example, using either Amazon or Google credentials) with the identity provider.
- The authorization server redirects the user to the client with an
access_token in the hash fragment.
- The client extracts the tokens from the hash fragment.
- The client uses the access tokens to call the resource server on behalf of the user.