- 2 Minutes to read
Oauth 2.0 Authentication
- 2 Minutes to read
For purposes of client authentication, the DataX Real-Time API relies on an implementation of Oauth 2.0. The API uses Oauth 2.0 authentication and barrier tokens for flexibility.
The authentication process is illustrated in the following diagram:
Oauth 2.0 Authentication Workflow
Follow these steps:
Step 1: The external provider calls the ID B2B server to get the access_token
, which is valid for 10 minutes.
Step 2: Provider calls the POST /identity/oauth2/access_token
endpoint of ID B2B with the JWT token created out of the provided client_id
and the client credential.
Sample Request
curl -X POST 'https://id.b2b.yahooinc.com/identity/oauth2/access_token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=<jwt_token>' \
--data-urlencode 'scope=audience' \
--data-urlencode 'realm=dataxonline'
Sample Response
{
"access_token": "wcf1011c-70fe-4740-b8a1-781d2b4dd3q3",
"scope": "audience",
"token_type": "Bearer",
"expires_in": 599
}
Step 3: The client extracts the access_token
from the response and makes calls to the DataX Real-Time API /online/audience
endpoint with the access_token
in the Authorization header.
Sample Request
curl -X POST \
https://dataxonline.yahoo.com/online/audience/
-H 'Accept: application/json' \
-H 'Authorization: Bearer dcf1011c-70fe-4740-b8a1-781d2b4dd3q2' \
-H 'Content-Type: application/json' \
-d '{
"schema": [
"DXID",
"IXID",
"IDFA",
"SEGMENTS"
],
"data": [
[
"DXID1",
"IXID1",
"IDFA1",
"exp=1376244671&seg_id=123456&ts=1376244670;seg3;seg4"
],
[
"",
"",
"IDFA2",
"seg3;seg5;seg6;seg7"
]
]
}'
Sample Response
{
"totalRows": 2,
"processedRows": 2,
"invalidRows": 0,
"exampleInvalidRows": []
}
Step 4: The API will verify the client access_token. It first checks if the client’s acces_token in the header of the request is present in the ClientAccessToken cache. If found in the cache, we do not call the IDB2B server for access_token
verification. We check the value in the cache to find out if it is valid or invalid.
However, if the client access_token
is not found in the cache, we will call the ID B2B server endpoint identity/oauth2/introspect
.
admin_access_token
is the access token for DataX online API, which will be sent in the Bearer Authorization header.client_access_token
is the access_token of the client or the external provider, which has to be verified or introspected with the ID B2B server.
Sample Request
curl -X POST \
https://<DATAX_ONLINE_HOST>/identity/oauth2/introspect \
-H 'Authorization: Bearer <admin_access_token> \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'token=<client_access_token>&realm=dataxonline'
Sample Response
{
"active": false
}
Step 5: The result of the client access_token
introspection with ID B2B will be saved in the ClientAccessToken cache with the key as client access_token
and the response from Id B2B server as the cache value. The cache expiration is 7 minutes.