Filter results by

Choose an OAuth2 method

OAuth 2.0 is a protocol that allows external applications to request access to private data in a user’s ARTIK Cloud Account without getting their passwords.

To learn about the details of the various authorization flows, see Authentication. This article suggests the best practices of choosing OAuth2 methods to obtain a user token and application token in four scenarios.

See the companion article on choosing the three types of access tokens.

Scenarios

For each scenario, before starting an OAuth2 flow, the application must enable the corresponding authentication method in the "App Info" section of the Developer Dashboard.

In the first three scenarios, the app requires a user to login and then obtains a user token. In the last scenario, the app obtains an application token without involving a user.

Web server applications

A web server application should use the Authorization Code method. This method requires a client secret, which the backend servers of the web app can keep secure.

During the authentication flow, a user is prompted to login and grant the app access to his/her data on ARTIK cloud services. At the end of the flow, the app receives an access token (user token) and a refresh token.

Once the access token expires, the application refreshes the token to get a new one without requiring the user's interaction.

Refer to Your first Web app for an implementation example.

Installed applications

An application that is installed on devices such as computers, mobile devices, and tablets does not work with backend servers. It is therefore less secure and cannot protect the client secret. In this case, the app should use the Authorization Code with PKCE (Proof Key for Code Exchange protocol), which does not require storing the secret. At the end of the flow, the app receives an access token (user token) and a refresh token.

Once the access token expires, the application uses the refresh token to obtain a new one. For token refreshing, the application does not require interaction from the user.

Refer to Your first Android app for specific examples of using the Authorization Code with PKCE.

Applications on limited-input devices

Applications running on a platform with no or limited input, such as a TV or watch, can use the Limited Input method. The platform needs only to be connected and able to display a message to the user. This method requires user interaction and does not require a client secret. At the end of the flow, the app receives an access token (user token) and a refresh token.

Once the access token expires, the application uses the refresh token to obtain a new one. For token refreshing, the application does not require interaction from the user.

Backend server applications

A backend server app uses the Client Credentials method to get an access token (application token) without prompting users. Prompting a user to login is also not feasible for a backend server. The server app must have a companion user app, where the user can login. The user app and server app have the same application ID on ARTIK cloud services. Before the server app can access a user's data with an application token, the user must have granted the app permissions on his/her data using the corresponding user application.

Note that the backend server could be part of a web server application.

The token obtained using the Client Credentials method can access data of all users that have granted permissions to the application.

Refresh a token

The app can obtain a new access token by exchanging the refresh_token previously issued during the flow of obtaining a user token (e.g. the first three scenarios above). Refreshing tokens does not require user involvement. Please see Refresh a token for more details.