iLert Documentation
WebsiteAPI ReferenceLoginFree Trial
Search…
Getting Started
Core concepts
On-call schedules
iLert domains, ips, emails & phone numbers
FAQ
Incident comms
Getting started
Services
Incidents
Status pages
User Administration
User roles and permissions
Team-based organisation
Single sign on
🔐
Two-factor authentication / MFA
Call Routing
Getting started with call routing
Routing calls based on support hours
Voicemail only mode
Managing call routing alerts
Adding webhooks and outbound chat messages
Uploading custom audio responses
Uptime & Heartbeat Monitors
Uptime Monitoring
Heartbeat Monitoring
REST API
iLert REST API
API Version History
Rate Limiting
Client Libraries
Terraform
API Samples
🔥
Developing iLert Apps
Get started with iLert Apps
Understanding OAuth2
Developing a Backend App with OAuth2
Developing a web or native App with OAuth2 and PKCE
Token lifetimes, error codes, app verification, etc.
🪝
Application Hooks
Integrations
Amazon CloudWatch Integration
Amazon EventBridge Integration
Amazon SNS Integration
Azure Alerts Integration
API Fortress Integration
AppDynamics Integration
AppSignal Integration
AWS Budget Integration
AWS GuardDuty Integration
AWS Lambda Integration
AWS Personal Health Dashboard Integration
Autotask Integration
Auvik Integration
Azure Function Integration
Checkmk Integration
Cisco Webex
Cloudflare Integration
Connectwise Manage Integration
Cortex XSOAR (formerly Demisto) Integration
CrowdStrike Integration
Datadog Integration
Discord Integration
DingTalk Integration
Dynatrace Integration
Email Integration
Email Outbound Integration
FreshService Integration
GitHub Integration
GitLab Integration
Google Cloud Function Integration
Google Cloud Monitoring (formerly Stackdriver) Integration
Grafana Integration
HashiCorp Consul
Humio Integration
IBM Cloud Functions Integration
Icinga Integration
Instana Integration
IXON Cloud Integration
Jira Integration
JumpCloud Integration
Kapacitor Integration
Kentix AlarmManager
Kubernetes Integration
Lightstep Integration
Mattermost Integration
Microsoft Teams Integration
MongoDB Atlas Integration
MXToolBox Integration
N-central Integration
Nagios Integration
New Relic Integration
Oh Dear Integration
Pingdom Integration
Prometheus Integration
PRTG Network Monitor Integration
Push Notifications
Raygun Integration
Salesforce Integration
Search Guard Integration
Sematext Integration
Sensu Integration
Sentry Integration
Server Density
Samsara Integration
ServiceNow Integration
SignalFx Integration
Single Sign-On Setup
Slack Integration
SMS Integration
SolarWinds Integration
Splunk Integration
StatusCake Integration
StatusHub Integration
StatusPage Integration
Sumologic Integration
Sysdig Integration
TOPdesk Integration
Terraform Cloud / Terraform Enterprise
UptimeRobot Integration
Webhook Integration
Hyperping Integration
Prisma Cloud Integration
X-Pack Alerting (Elasticsearch Watcher) Integration
Zabbix Integration
Zammad Integration
Zapier Integration
Zendesk Integration
Zoom Integration
Contact us
iLert Release Notes
iLert Mobile Release Notes
Android Push Notification Configuration
Powered By GitBook
Understanding OAuth2
OAuth 2.0 has become the de facto industry standard when it comes to offering authorization service. It is the successor to OAuth 1.0 since 2012.
OAuth2 or OAuth 2.0 stands for Open Authorization. It is a standard that allows a webservice to access resources (user data) owned by other webservices on behalf of a user.
The standard provides consented access and restricts actions to resource operations on behalf of the user that has granted the access. It works without sharing the actual user's credentials between the webservices.
It works for websites, as well as native applications on mobiles devices or desktops.
OAuth2 is an authorization protocol and as such designed to take care of granting access to resources, it does not handle authentication.

Access tokens (JWT)

A successful OAuth2 flow will leave the challanging webservice with an access token, which represents the authorization to access the user's resources. Most of the time the JWT (JSON Web Token) format is used for access and or refresh tokens. iLert uses JWT tokens.

Auth2 Roles

  • Client (the client is the party that requires access to the resources)
  • Authorization Server (this system handles the requests of the client to issue an access token)
  • Resource Server (the system that handles the user's resources and that may be queried using the access tokens issued by the Authorization server)
  • User (also called Resource owner, the actual user that the client asks to grant resources access)

OAuth2 Scopes

To describe desired resources that the client requires access to, the protocol offers scopes. Scopes are defined by the authorization server and are presented to the user during authorization. e.g. source:w defines an iLert scope that grants read and write permission to the alert sources of the given user.

OAuth2 grant flows

The protocol offers differnt kind of authorization flows. With a few being already deprecated because of their potential security risk such as the Implicit grant.
iLert's authorization server supports the Authorization Code grant as well as the optional Authorization Code with PKCE grant (which will be described below). The Refresh Token grant is also supported to refresh issued access tokens.
As the Authorization Code with PKCE grant is the suggested standard way of implementing OAuth2, the following guide will focus on this grant type. PKCE stands for Proof Key for Code Exchange and describes the addition of a code challenge that helps to ensure that the origin of the token request is actually the same as the origin of the authorization request. It is essentially helpful in implementing secure flows for native or single page applications, that cannot keep the client secret private.

How does OAuth2 work?

Authorization request

To begin with, the client redirects the user to the authorization server asking for permissions to the users resources. In case the user is not logged in, the authorization server will ask the user to login and afterwards to accept the access requested by the client. The client identifies itself by providing his client_id. It describes its desired resources using scope and transfers a code_challenge that helps validate the origin of the request later in step 2. When the login is successfull and the user has accepted to grant the requested permissions, the user is redirect back using the provided redirect_uri parameter.

Token request

In the sescond step, as the user is redirected back to the client after successfull authorization, the authorization server will have appended a code parameter to the redirect url. The client will now use this code in when requesting an access_token (and/or refresh_token) from the authorization server. It will also provide the plain text version of the code_challenge (which was the hashed representation) of the verifier (a random string generated before step 1) when making this request.
If possible (for private clients, ones that can keep secrets private e.g. backend based applications) the client will also provide his client_secret on this request.
If the authorization server successfully validates the code, secret and verifier it will return an access_token (and potentially refresh_token) in its response.

Resource request

Finally as the client has received an access_token in step 2, the client will be able to make calls to the resource server on behalf of the user by providing the access_token.

Refreshing access_token

Access tokens have a limited lifetime, they will expire after 1 hour (may be subject to change, see token response for exact lifetime). If either the client secret was provided during the token request or the offline access scope was requested, the authorization server will also issue a refresh token with a lifetime of 1 year (may be subject to change, see token response for exact lifetime).
  1. 1.
    when making requests with the access token in case of an invalid or expired token
  2. 2.
    the resource server will respond with HTTP status 401
  3. 3.
    the client should then send another token request with the grant_type refresh_token as well as the refresh token
  4. 4.
    if the refresh token is not exired the authorization server will respond with a fresh access token
  5. 5.
    the client may now continue using the new access token (where he stopped in step 2)
  6. 6.
    the resource server will respond with the requested data to the new and unexpired access token

Deep dive

Enough theoretics, let's dive right into native or backend app development for OAuth2.
Previous
Get started with iLert Apps
Next
Developing a Backend App with OAuth2
Last modified 4mo ago
Copy link
Edit on GitHub
Contents
Access tokens (JWT)
Auth2 Roles
OAuth2 Scopes
OAuth2 grant flows
How does OAuth2 work?
Authorization request
Token request
Resource request
Refreshing access_token
Deep dive