Online Record Keeper/ORK3 Developer Documentation/API Authorization

From AmtWiki
Revision as of 14:15, 25 May 2014 by Zellfaze (talk | contribs) (Created page based off docs at https://docs.google.com/document/d/1lGl0bUsUopLMEBfQvjMeSG0h7PK872chMnHOkQpS2J0/edit?pli=1#)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This document describes the application authorization process.

Steps for Accessing the ORK 3

  1. Call RegisterApplication() with your AppSecret in order to generate an AppId. You must store the AppId for your application instance.
  2. Call RequestAuthorization() with your AppSecret and AppId for a specific system user. This returns an ApplicationAuthorizationKey for that specific user, which you must store.
  3. Login via Authorize() using your AppId, AppSecret, and some user’s ApplicationAuthorizationKey.
  4. Perform work as that user.

Creating an Application in the ORK 3

An application must be able to consume at least the Authorization service of the ORK 3. To register an application with the ORK 3, a one-time call is made to RegisterApplication(). This call includes the Name, Description, a website Url, and an AppSecret (generated by you).

The AppSecret is the application equivalent of a password, and should be re-generated for each instance of the application. Because behavior is tracked on a per-application-basis, if you share your AppSecret and AppId, you run the risk of losing access privileges for other instances behaviors.

The call RegisterApplication() will return an AppId, which is a system-generated identification string for authorization.

Requesting Authentication Privileges

New applications have no access privileges in the system. All access to the ORK 3 system is via user masquerade. As such, your application must be granted privileges by specific users of the system. Your application will then have the same authorization permissions as that particular user. Promotions or demotions of permissions for that user will result in greater or lesser system access for your application.

To request masquerade permissions, make calls to RequestAuthorization() for a specific user. That user will then have to grant you permissions for system access. RequestAuthorization() returns an ApplicationAuthorizationKey at the time of the original call. This key can not be re-generated or re-sent. You must store this key for your application instance within your own key store.

Accessing the System

When making privileged calls into the system, you will have to provide an Application Token as returned by an initial call to Authorize(). Calls to Authorize() for an application require the use of the non-local calling parameters:

  • AppId: String, Optional [Required if no Token is given]
  • AppSecret: String, Optional [Required if no Token is given]
  • ApplicationAuthorizationKey: String, Optional [Required if no Token is given]

Where AppId is the system-generated Application Key for your application instance, AppSecret is your authentication string, and ApplicationAuthorizationKey is the Application Authorization Key granted to you by a specific system user.