All Apps must authenticate through the App Store OAuth2 Authorization Server.

Below is a simple example illustrating the [[https://tools.ietf.org/html/rfc6749#section-4.1|Authorization Code Grant Flow] recommended for Web-Server Apps. Note the process is different for Excel, browser-based and other types of App.

When registering your App, you will be asked to provide one or more valid Redirect URIs. The Authorization Server will only respond to HTTP requests from registered URIs. This helps prevent [[man-in-the-middle attacks|https://en.wikipedia.org/wiki/Man-in-the-middle_attack].

Since the HTTP request carries secure information, we also stipulate all requests are from secure HTTPS sources.

Upon App registration, you are assigned an Application Id and Secret Key. The Application Id is considered public information. It composes part of the URL request to the App Store Authorization Server and can easily be identified by the user.

The Secret Key, however, must remain confidential. It should only be used server-side (i.e not in the web-browsing client). If a deployed app cannot keep the secret confidential, then an alternative grant flow must be considered.

Your registered App is given a status. Be sure this is not active until you are satisfied it is fully tested. Once an App is “Active” attempts debit requests are treated as genuine and transactions are processed.

There are a number of OAuth2 helper libraries available (depending on your development platform), however the example below considers a basic manual approach.

In your App, create a “Log In” link sending the user to:

https://appstore.intelligentplant.com/AuthorizationServer/OAuth/Authorize?response_type=code&
  client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=SCOPES
  

Parameters

• response_type: The authorization process. In this case, “code” indicates we're authenticating via an “Authorization Code Grant Flow”.
• client_id: The Application Id assigned to you.
• redirect_uri: Where the authentication server should return to. If left blank, it will return to the URI of the request. Remember, the Redirect URI must be https address registered with the App Store.
• scopes: These can be specified on the request, or during app registration. Refer to the App Store API and determine which scopes your application requires to function.

The link resolves to a log-in prompt, requesting the used log-in via LinkedIn, then authorize the Apps scope request.

If the user clicks “Allow,” App Store redirects the user back to your site with an authentication code.

https://www.YourApp.com/cb?code=AUTH_CODE_HERE

The Authentication Code should not be returned to the app user. In the “Authorization Code Grant Flow”, it is the responsibility of your server-side code to then request the Authentication Code be exchanged for an access token. Note this request contains the Secret Key parameter.

POST https://appstore.intelligentplant.com/AuthorizationServer/OAuth/Token
    grant_type=authorization_code&
    code=AUTH_CODE_HERE&
    redirect_uri=REDIRECT_URI&
    client_id=CLIENT_ID&
    client_secret=CLIENT_SECRET

The server replies with an access token

    "access_token":"RsT5OjbzRn430zqMLgV3Ia"

Now that you have an access token, you can make requests to the App Store API. You can make an API request using cURL as follows:

curl -H "Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia" \
https://appstore.intelligentplant.com/api/Resource/GetUserInfo