Principles꞉ Authentication
Endpoint | Verb | Paging | Description |
---|---|---|---|
https://identity.fastway.org/connect/token | POST | returns bearer token |
To obtain a token, you will require a client_Id, secret and scope to authenticate
client_id: obtained from myfastway website under Admin | API
secret: obtained from myfastway website under Admin | API
scope: is determined by country
country | scope |
---|---|
Australia | fw-fl2-api-au |
New Zealand | fw-fl2-api-nz |
The API is secured using the Oauth2 Client Credentials flow. A token with a default lifetime of 60 mins is return after authenticating against /connect/token endpoint of the Security Token Server.
The recommended practice for authentication is to:
- Make a call to the API
- Check the response status code (401 indicates missing or expired token)
- If a 401 response is returned:
- obtain a new token via the /connect/token endpoint
- retry initial call
- further errors are indicative of a more serious error, at this point the retry loop should exit
The easiest way to wire up Authentication is to use Identity Server Token Validation helper library. A token can be retrieved is a few lines of code:
var discoveryClient = new DiscoveryClient(authority) {
Policy = new DiscoveryPolicy { RequireHttps = true }
};
var disco = await discoveryClient.GetAsync();
var tokenClient = new TokenClient(disco.TokenEndpoint, clientId, secret);
return (await tokenClient.RequestClientCredentialsAsync(scope)).AccessToken;
The HttpClient method requires more setup, the key points being:
- Setting the content type to application/x-www-form-urlencoded
- Parsing the result to return the access_token
var content = new StringContent($"grant_type=client_credentials&client_id={clientId}&scope={scope}&client_secret={secret}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");
var response = await httpClient.PostAsync($"{authority}/connect/token", content);
if (response.IsSuccessStatusCode) {
var result = await response.Content.ReadAsStringAsync();
return JObject.Parse(result)["access_token"].ToString();
}
return null;
selecting OAuth2 drop down from the authorization type
allows you to provide a token url, client_id and secret
Selecting Request token, then Use Token will embed a bearer authorization header into your request
Once a token is returned, it needs to be added to each request header, this can be done a number of ways using debugging tools below, but ultimately each request issued to the API should have an Authorization header:
Authorization: bearer [your token]
Within Authorization, select 'OAuth2' and click 'Get New Access Token' you will be prompted with a 'Get New Token' dialog (see above). Upon retreiving a token, it will automatically be set in the header
Within Authorization, select 'Bearer' and populate the bearer dialog with your token, it will automatically be set in the header
Add a line to the header with Authorization: bearer [your token]