Understanding the OAuth 2.0 API

The complete technical documentation for the Mashery OAuth 2.0 API is available online at http://support.mashery.com/docs/read/mashery_api/20/OAuth_Supporting_Methods. To see this documentation, request access by contacting your client services contact.

The following table describes the API at a high level:
API Method Purpose

fetchApplication

Used during the Authorization step when the service provider’s authorization server presents the resource owner with information about the client requesting access to the resource owner’s data. The API calls is used to verify if the client is valid and fetches the client application data (name, attributes, redirection url) which will be used to provide information to the end user.

createAuthorizationCode (Authz Code grant type only)

After the resource owner has successfully authenticated against the service provider’s authorization server and authorized the client, the authz server will make this API call to TIBCO Mashery to generate the authz code which can be subsequently used to obtain an access token. As a part of this API call, the service provider will also supply the user-context (userid) for the authenticated user. The service provider returns the authz code to the client using the redirection url.

createAccessToken

API call used to generate the access token.
  • For the authz code grant type, a valid authz code must be presented.
  • For implicit and resource owner grant types, this occurs after the resource owner has been authenticated (user-context should be supplied). Service provider initiates the API call.
  • For Client Credentials flow, only the client credentials are verified.
  • When exchanging a refresh token, a valid refresh token must be presented.
Note: Both client id and secret must be presented when requesting an access token except in the case of Implicit grant type.

fetchAccessToken

May be used by the service provider to validate access tokens and may be used as an additional layer of security or when certain API calls are sent directly to the provider instead of through TIBCO Mashery.

fetchUserApplications

Used by the service provider to present the resource owner with the client applications that been authorized by that resource owner. This is typically used in the Account section of the service provider’s site where the resource owner can view the list.

revokeAccessToken

Used by the service provider to allow the resource owner to revoke access to specific client applications that been authorized by that resource owner. This is typically used in the “Account” section of the service provider’s site where the resource owner can view the list authorized applications and select which application should no longer be allowed access.

revokeUserApplication

Revokes all tokens for an application for the specified user.