Notion salesforce integration8/23/2023 But we have a hard time blaming them they have only the best intentions in mind for their DX. This leads to pretty long pages in docs outlining how OAuth works for this particular API. Instead of implementing a full OAuth 2.0 subset, they just implement the parts of OAuth they think they need for their API’s use case. Most teams building public APIs seem to agree as well. If you think this still feels too complicated and like a lot to learn, we tend to agree with you. However, in our experience, most API providers seem to be as oblivious to this list as you probably were until now, so don't worry too much about it. Common examples are `prompt`, `scope`, `audience`, `resource`, `assertion`, and `login_hint`. Now that you’re ready for your requests, let’s look at the many (72, to be precise) official OAuth parameters with a defined meaning and behavior. How they work is standardized, but how you ask for them in the first place is not. Side note: Refresh tokens are also a grant type, but kind of a special one.Grant type: Do you need `authorization_code`, `client_credentials`, or `device_code`? What do they do, and when should you use each of them? When in doubt, try `authorization_code`.Once you know which one your API uses, move on to: OAuth standard: OAuth 2.0 is the default now, but OAuth 1.0a is still used by some (and 2.1 is around the corner).Let’s focus only on the things that are likely to be relevant for the typical API third-party-access use case: “But,” I hear you say, “surely not all of these RFCs are relevant for a simple third-party-access token authorization with an API?” You’re right. They cover everything from the OAuth framework and Bearer tokens to threat models and private key JWTs. The OAuth 2.0’s official site currently lists 17 different RFCs (documents defining a standard) that together define how OAuth 2 works. I should be done by tomorrow.” – Famous last words from the intern Let’s dive in! Problem 1: The OAuth standard is just too big and complex “This API also uses OAuth 2.0, and we already did that a few weeks ago. If it weren’t so annoying, it would be quite funny. The result: footguns behind every corner. There’s a general consensus on how things should be done, but in reality every API has its own interpretation of the standard, implementation quirks, and nonstandard behaviors and extensions. Our conclusion: The real-world OAuth experience is comparable to JavaScript browser APIs in 2008. We implemented OAuth for the 50 most popular APIs, such as Google (Gmail, Calendar, Sheets etc.), HubSpot, Shopify, Salesforce, Stripe, Jira, Slack, Microsoft (Azure, Outlook, OneDrive), LinkedIn, Facebook and other OAuth APIs. If you manage, please email us - we’d like to treat you to a delicious dinner and hear how you did it. You might conclude that, armed with a client library, you would be able to implement OAuth for any API in about 10 minutes. Right? And there are client libraries for OAuth 2.0 available in basically every programming language you can imagine.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |