Oauth 2.0 Authentication

For purposes of client authentication, the DataX Real-Time API relies on an implementation of Oauth 2.0. The API uses Oauth 2.0 authentication and barrier tokens for flexibility.

The authentication process is illustrated in the following diagram:

Oauth 2.0 Authentication Workflow

Follow these steps:

Step 1: The external provider calls the ID B2B server to get the access_token, which is valid for 10 minutes.

Step 2: Provider calls the POST /identity/oauth2/access_token endpoint of ID B2B with the JWT token created out of the provided client_id and the client credential.

Sample Request

curl -X POST  'https://id.b2b.yahooinc.com/identity/oauth2/access_token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=<jwt_token>' \
--data-urlencode 'scope=audience' \
--data-urlencode 'realm=dataxonline'

Sample Response

{
      "access_token": "wcf1011c-70fe-4740-b8a1-781d2b4dd3q3",
      "scope": "audience",
      "token_type": "Bearer",
      "expires_in": 599
}

Step 3: The client extracts the access_token from the response and makes calls to the DataX Real-Time API /online/audience endpoint with the access_token in the Authorization header.

Sample Request

 curl -X POST \
         https://dataxonline.yahoo.com/online/audience/
     -H 'Accept: application/json' \
         -H 'Authorization: Bearer dcf1011c-70fe-4740-b8a1-781d2b4dd3q2' \
         -H 'Content-Type: application/json' \
         -d '{
         "schema": [
           "DXID",
           "IXID",
           "IDFA",
           "SEGMENTS"
         ],
        "data": [
          [
           "DXID1",
       "IXID1",
       "IDFA1",
       "exp=1376244671&seg_id=123456&ts=1376244670;seg3;seg4"
         ],
          [
           "",
          "",
          "IDFA2",
          "seg3;seg5;seg6;seg7"
         ]
         ]
}'

Sample Response

{
  "totalRows": 2,
  "processedRows": 2,
  "invalidRows": 0,
  "exampleInvalidRows": []
}

Step 4: The API will verify the client access_token. It first checks if the client’s acces_token in the header of the request is present in the ClientAccessToken cache. If found in the cache, we do not call the IDB2B server for access_token verification. We check the value in the cache to find out if it is valid or invalid.

However, if the client access_token is not found in the cache, we will call the ID B2B server endpoint identity/oauth2/introspect.

• admin_access_token is the access token for DataX online API, which will be sent in the Bearer Authorization header.

• client_access_token is the access_token of the client or the external provider, which has to be verified or introspected with the ID B2B server.

Sample Request

curl -X POST \
 https://<DATAX_ONLINE_HOST>/identity/oauth2/introspect \
 -H 'Authorization: Bearer <admin_access_token> \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -d 'token=<client_access_token>&realm=dataxonline'

Sample Response

{
 "active": false
}

Step 5: The result of the client access_token introspection with ID B2B will be saved in the ClientAccessToken cache with the key as client access_token and the response from Id B2B server as the cache value. The cache expiration is 7 minutes.