Oauth 2.0 Authentication
  • 2 Minutes to read

    Oauth 2.0 Authentication


      Article summary

      For purposes of client authentication, the DataX Real-Time API relies on an implementation of Oauth 2.0. The API uses Oauth 2.0 authentication and barrier tokens for flexibility.

      The authentication process is illustrated in the following diagram:

      Oauth 2.0 Authentication Workflow

      Follow these steps:

      Step 1: The external provider calls the ID B2B server to get the access_token, which is valid for 10 minutes.

      Step 2: Provider calls the POST /identity/oauth2/access_token endpoint of ID B2B with the JWT token created out of the provided client_id and the client credential.

      Sample Request

      curl -X POST  'https://id.b2b.yahooinc.com/identity/oauth2/access_token' \
      -H 'Content-Type: application/x-www-form-urlencoded' \
      --data-urlencode 'grant_type=client_credentials' \
      --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
      --data-urlencode 'client_assertion=<jwt_token>' \
      --data-urlencode 'scope=audience' \
      --data-urlencode 'realm=dataxonline'
      

      Sample Response

      {
            "access_token": "wcf1011c-70fe-4740-b8a1-781d2b4dd3q3",
            "scope": "audience",
            "token_type": "Bearer",
            "expires_in": 599
      }

      Step 3: The client extracts the access_token from the response and makes calls to the DataX Real-Time API /online/audience endpoint with the access_token in the Authorization header.

      Sample Request

       curl -X POST \
               https://dataxonline.yahoo.com/online/audience/
           -H 'Accept: application/json' \
               -H 'Authorization: Bearer dcf1011c-70fe-4740-b8a1-781d2b4dd3q2' \
               -H 'Content-Type: application/json' \
               -d '{
               "schema": [
                 "DXID",
                 "IXID",
                 "IDFA",
                 "SEGMENTS"
               ],
              "data": [
                [
                 "DXID1",
             "IXID1",
             "IDFA1",
             "exp=1376244671&seg_id=123456&ts=1376244670;seg3;seg4"
               ],
                [
                 "",
                "",
                "IDFA2",
                "seg3;seg5;seg6;seg7"
               ]
               ]
      }'

      Sample Response

      {
        "totalRows": 2,
        "processedRows": 2,
        "invalidRows": 0,
        "exampleInvalidRows": []
      }

      Step 4: The API will verify the client access_token. It first checks if the client’s acces_token in the header of the request is present in the ClientAccessToken cache. If found in the cache, we do not call the IDB2B server for access_token verification. We check the value in the cache to find out if it is valid or invalid.

      However, if the client access_token is not found in the cache, we will call the ID B2B server endpoint identity/oauth2/introspect.

      • admin_access_token is the access token for DataX online API, which will be sent in the Bearer Authorization header.

      • client_access_token is the access_token of the client or the external provider, which has to be verified or introspected with the ID B2B server.

      Sample Request

      curl -X POST \
       https://<DATAX_ONLINE_HOST>/identity/oauth2/introspect \
       -H 'Authorization: Bearer <admin_access_token> \
       -H 'Content-Type: application/x-www-form-urlencoded' \
       -d 'token=<client_access_token>&realm=dataxonline'

      Sample Response

      {
       "active": false
      }

      Step 5: The result of the client access_token introspection with ID B2B will be saved in the ClientAccessToken cache with the key as client access_token and the response from Id B2B server as the cache value. The cache expiration is 7 minutes.


      Was this article helpful?