OAuth 2.0 Authentication
OAuth 2.0 is an industry-standard protocol for authentication and authorization. The framework enables a host of third-party client applications to gain secure and delegated access to protected resources in Zoho through APIs.
Some common characteristics of OAuth 2.0 are:
- Clients are not required to support password authentication or store user credentials. API calls can be made to access resources without having to provide user credentials for each call.
- Clients will only have access to resources authenticated by the user.
- Users can revoke the client's delegated access at any time.
- OAuth2.0 access tokens expire after a set time, which provides strong security.
Before you learn about the steps involved in implementing OAuth 2.0, you must understand the following terms related to OAuth 2.0 in the Catalyst context:
|Protected Resource||A Catalyst resource such as Cache, Cron, Table, or Folder|
|Resource Server||The Catalyst server that hosts the Catalyst protected resources|
|Client||An application that sends requests to the resource server to access the protected resources on behalf of the end-user|
|client_id||The unique key generated for a registered client|
|client_secret||The secret value generated for a specific registered client's client_id. When you register your Catalyst application in the Zoho API Console, a client_id and client_secret will be generated for it.|
|Authentication Server||The Catalyst authorization server that provides the necessary credentials to a client, such as the access_token or refresh_token|
|Grant Token or code||Catalyst authorization server generates a temporary token and sends it to the client via the browser. The client will send this code back to the authorization server to obtain the access and refresh tokens.|
|access_token||A temporary token that is sent to the resource server to access the protected resources of the user. Clients use the access_token to make requests to the associated application using the APIs. Each access_token will be valid for a set time period and can only be used to perform operations described in the scope.|
|refresh_token||A token that can be used to obtain new access tokens. This token has an unlimited lifetime until it is revoked by the end-user.|
|Scopes||Scopes control the type of resources that the client application can access. Each token is usually created with selected scopes for better security. For example, you can generate an access_token with a scope to only read the data in the Data Store or File Store.The standard format to define a scope is scope=service_name.scope_name.operation_type. The next section lists the scopes available in Catalyst.|