Real-Time Personalization (+RTP) API Guide

oAuth2 Guide

This OAuth2 Guide provides information about Sequencing.com's OAuth2 system. Our simple yet secure OAuth2 system is used to authenticate apps with our API.

Sequencing.com uses the industry standard OAuth2 protocol for authentication. If you are interested in details, please refer to our explanation on our Github page.

 

Sequencing.com provides libraries, code snippets / sample code and plugins for implementing Authentication and all components of the +RTP API.

 

Authentication flow

Sequencing.com uses standard OAuth approach which enables applications to obtain limited access to user accounts on an HTTP service from 3rd party applications without exposing the user's password. OAuth acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared.

 

Steps

Step 1: Authorization Code Link

First, the user is given an authorization code link that looks like the following:

https://sequencing.com/oauth2/authorize?redirect_uri=REDIRECT_URL&response_type=code&state=STATE&client_id=CLIENT_ID&scope=SCOPES

Here is an explanation of the link components:

  • https://sequencing.com/oauth2/authorize: the API authorization endpoint
  • client_id=CLIENT_ID: the application's client ID (how the API identifies the application)
  • redirect_uri=REDIRECT_URL: where the service redirects the user-agent after an authorization code is granted
  • response_type=code: specifies that your application is requesting an authorization code grant
  • scope=CODES: specifies the level of access that the application is requesting

Screenshot below shows authorization dialog shown when following the link shown above

Step 2: User Authorizes Application

When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize or deny the application access to their account. Here is an example authorize application prompt

Step 3: Application Receives Authorization Code

If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this (assuming the application is "php-oauth-demo.sequencing.com"):

https://php-oauth-demo.sequencing.com/index.php?code=AUTHORIZATION_CODE

 

Step 4: Application Requests Access Token

The application requests an access token from the API, by passing the authorization code along with authentication details, including the client secret, to the API token endpoint. Here is an example POST request to Sequencing.com token endpoint:

https://sequencing.com/oauth2/token

Following POST parameters have to be sent

  • grant_type='authorization_code'
  • code=AUTHORIZATION_CODE (where AUTHORIZATION_CODE is a code acquired in a "code" parameter in the result of redirect from Sequencing.com)
  • redirect_uri=REDIRECT_URL (where REDIRECT_URL is the same URL as the one used in step 1)

Include the following in the header

Authorization: Basic base64_encode([your-client-id] . ':' . [your-client-secret])

Note: if you experience any issue with Step 4, please make sure that you have added the “Authorization” header to the request.

 

Step 5: Application Receives Access Token

If the authorization is valid, the API will send a JSON response containing the access token to the application.

 

Step 6: Token expires and needs to be refreshed

If the OAuth access token has expired, it may be refreshed by making a request to the OAuth server and passing in the expired OAuth token.

https://sequencing.com/oauth2/authorize?grant_type=refresh_token&refresh_token=your-oauth-token

 

Include the following in the header

Authorization: Basic base64_encode([your-client-id] . ':' . [your-client-secret])