Skip to content

Overview

OAuth 2.0 provides a secure, open, and simple standard for authorizing user resources. Unlike previous authorization methods, OAuth 2.0 authorization does not allow third parties to access the user's account information (such as username and password); that is, third parties can request authorization for the user's resources without using the user's username and password.

BambooCloud IDaaS identity cloud platform supports the international standard OAuth 2.0 protocol. Third-party application systems can quickly integrate with the identity cloud platform according to the OAuth protocol, ensuring the security of the user's login and authentication process.

API Specifications

When third-party applications access BambooCloud IDaaS through OAuth and call APIs, the following rules must be observed:

ParameterDescription
TransmissionTo ensure communication security, HTTPS one-way handshake is used.
Data formatData returned by BambooCloud IDaaS to third-party applications is in JSON format.
Certificate requirementsHTTPS one-way handshake is used; third-party applications only need to trust BambooCloud IDaaS.

Supported Authorization Grants

BambooCloud IDaaS supports multiple authorization grants defined in the OAuth 2.0 protocol. Developers of third-party application systems can choose flexibly according to their actual situation.

Grant TypeDescription
Authorization CodeThis is the most secure and most commonly used mode for Web application integration. After user authorization, the application obtains a code and exchanges it for a token.
PKCEFor desktop software and mobile apps that cannot keep secrets, the standard authorization code mode cannot be used.
The PKCE mode reduces the risk of authorization code interception attacks for public clients.
ImplicitThis mode skips the code retrieval step of the standard authorization code mode and is suitable for browser-based applications.
PasswordThis mode is not recommended because the client may store the user's password. It is suitable for highly trusted applications.
M2MThe M2M (Machine-to-Machine) mode in the OAuth protocol is used for authentication and authorization between machines. In M2M mode, one machine authenticates and authorizes on behalf of another machine without direct user participation.

Terminology

  • Resource Owner: the owner of the resources.
  • Client: the third-party application, i.e., the target application system the user needs to log in to.
  • Authorization Server: the server that issues access tokens to third-party applications.
  • Resource Server: the server that stores protected resources.
  • Authorization Code: authorization code.
  • Access Token: authorization token.
  • ClientId: the unique identifier of the application, the ID issued by the IDaaS platform.
  • ClientSecret: the secret corresponding to the ClientId, used to verify the legitimacy of the application when accessing user resources.
  • BambooCloud IDaaS unified authentication center: i.e., the authorization server, hereinafter referred to as BambooCloud IDaaS.
  • User center: the portal system provided by BambooCloud IDaaS for enterprise users to centrally access third-party applications.

BambooCloud IDaaS Open Platform