OAuth 2.0
Open Authorization (OAuth) is the industry standard for token-based authorization on the internet. MinistryPlatform supports several OAuth 2.0 workflows and also serves as a Security Token Service (STS) provider. MinistryPlatform is also a client and can support other token providers like Facebook and Google.
Discovery
The discovery URL is found by adding an OAuth subfolder to the MinistryPlatform URL. The format should look similar to this:
https://example.ministryplatform.com/ministryplatformapi/oauth/.well-known/openid-configuration
The discovery URL displays various end-points, scopes, and response types supported by MinistryPlatform's OAuth implementation.
General Use
- User chooses to log in using STS provider.
- User is redirected to provider's login page.
- STS provider authenticates user.
- User is redirected back to original application along with an Access Token.
- Access Token is passed in Authorization Header of each subsequent request to gain access to Resources.
OAuth & MinistryPlatform
- MinistryPlatform acts as an STS provider:
- Log in to MinistryPlatform.
- Get an Access Token using the Platform.
- Use OAuth workflows in MinistryPlatform.
- Authorization uses existing security roles to determine access.
- MinistryPlatform acts as an STS consumer:
- Configure MinistryPlatform to log in using Facebook, Google, or other OAuth providers.
- Theoretically, log in to Facebook using the Platform.
- Batch Manager Tool and other Tools:
- Use Client Credentials workflow.
- Authorization uses existing security roles.
Workflows
Client Credentials
- Allows client applications to have access without storing a username or password.
- Can provide data to an end-user whether they are logged in or out.
- Best choice for 99% of your application development.
- Client-specific user assignment.
See API & Identity Pages and Giving Developers Access.
- Allows applications to be developed entirely in client-side of JavaScript.
- Assumes end-user has significant rights within MinistryPlatform.
- Access Token belongs to the end-user.
- Similar in end-user experience to Implicit Grant.
- Redirects user to the authorization server.
- Assumes your client application has (or can collect) the end user's credentials.
- Could be used like Client Credentials if you have a safe place for your application to store the username and password (not recommended).
See Users and Third-Party Developers.
Additional Documentation
- Official OAuth 2.0 documentation - https://oauth.net/2/
- Oracle's documentation including workflow diagrams - docs.oracle.com
- ITNext OAuth 2.0 for beginners - https://itnext.io/