Skip to content

Principles꞉ Authentication

Jump to bottom
mindfulsoftware edited this page Feb 20, 2020 · 2 revisions

Endpoint

Endpoint Verb Paging Description
https://identity.fastway.org/connect/token POST returns bearer token

To obtain a token, you will require a client_Id, secret and scope to authenticate

client_id: obtained from myfastway website under Admin | API

secret: obtained from myfastway website under Admin | API

scope: is determined by country

country scope
Australia fw-fl2-api-au
New Zealand fw-fl2-api-nz

Recommended practice for authentication

The API is secured using the Oauth2 Client Credentials flow. A token with a default lifetime of 60 mins is return after authenticating against /connect/token endpoint of the Security Token Server.

The recommended practice for authentication is to:

  1. Make a call to the API
  2. Check the response status code (401 indicates missing or expired token)
  3. If a 401 response is returned:
    1. obtain a new token via the /connect/token endpoint
    2. retry initial call
    3. further errors are indicative of a more serious error, at this point the retry loop should exit

Using Discovery

The easiest way to wire up Authentication is to use Identity Server Token Validation helper library. A token can be retrieved is a few lines of code:

var discoveryClient = new DiscoveryClient(authority) {
    Policy = new DiscoveryPolicy { RequireHttps = true }
};

var disco = await discoveryClient.GetAsync();

var tokenClient = new TokenClient(disco.TokenEndpoint, clientId, secret);
return (await tokenClient.RequestClientCredentialsAsync(scope)).AccessToken;

Using HttpClient

The HttpClient method requires more setup, the key points being:

  1. Setting the content type to application/x-www-form-urlencoded
  2. Parsing the result to return the access_token 
var content = new StringContent($"grant_type=client_credentials&client_id={clientId}&scope={scope}&client_secret={secret}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");

var response = await httpClient.PostAsync($"{authority}/connect/token", content);

if (response.IsSuccessStatusCode) {
	var result = await response.Content.ReadAsStringAsync();
	return JObject.Parse(result)["access_token"].ToString();
}

return null;

Using Postman

selecting OAuth2 drop down from the authorization type

postman oauth2

allows you to provide a token url, client_id and secret

postman oauth2

Selecting Request token, then Use Token will embed a bearer authorization header into your request

Using Postman (form encoded)

postman oauth2

Using the (bearer) token

Once a token is returned, it needs to be added to each request header, this can be done a number of ways using debugging tools below, but ultimately each request issued to the API should have an Authorization header:

Authorization: bearer [your token]

Using OAuth2 in postman

Within Authorization, select 'OAuth2' and click 'Get New Access Token' you will be prompted with a 'Get New Token' dialog (see above). Upon retreiving a token, it will automatically be set in the header

postman bearer token

Setting bearer token in postman

Within Authorization, select 'Bearer' and populate the bearer dialog with your token, it will automatically be set in the header

postman oauth2 token

Manually setting the header in fiddler

Add a line to the header with Authorization: bearer [your token]

fiddler-token

Clone this wiki locally