OAuth 2.0 Authorization

OpenAir supports OAuth 2.0, a robust authorization framework. This authorization framework enables client applications to use a token to access OpenAir through the XML API, SOAP API, or REST API. The application accesses the protected resources on behalf of a user who gave an explicit permission for the access. This method eliminates the need for API integrations to store user credentials.

This feature is available if API Access is enabled for your account. It includes the following elements:

• Administrators can register up to 20 integration applications with OpenAir and enable or disable these applications in the Administration module. For more information, see Managing API Integration Applications (Help topic under Administrator Guide).

• Administrators can use web services reports to audit and revoke authorizations granted by OpenAir users to integration applications. For more information, see Auditing and Managing OAuth 2.0 Authorizations (Help topic under Security).

  can use web services reports to audit and revoke authorizations granted by OpenAir users to integration applications. For more information, see Auditing and Managing OAuth 2.0 Authorizations.

• Application Developers can use the OAuth 2.0 authorization code flow to get an access token then use the access token to access your OpenAir data using the XML API or SOAP API. For more information, see OAuth 2.0 for Integration Applications Developers.

  Note:

  OpenAir only supports the OAuth 2.0 authorization code grant type.

• End-users can give applications explicit permission to access OpenAir on their behalf and they can revoke this permission at any time. For more information, see Authorizing Applications to Access OpenAir on Your Behalf (Help topic under Security).

  Note:

  The first time a registered application attempts to access OpenAir on their behalf, users must sign in using the same trusted sign-in page they normally use to sign in to OpenAir then give the application explicit permission. The OAuth 2.0 feature supports the following user authentication mechanisms:

  • Password authentication by OpenAir — Users enter their Company ID, User ID and Password on the OpenAir sign-in page.

  • SAML authentication:

    • Service Provider initiated Single Sign-on — Users enter their sign-in details on your company Single Sign-on form.

    • Identity Provider initiated Single Sign-on — Users must sign in using their Identity Provider Single Sign-on form before the application attempts to access OpenAir on their behalf. When the application attempts to access OpenAir, the authorization page appears automatically. Users do not need to enter their sign-in details again if the Single Sign-on session has not expired.