The Data Services API utilises the OAuth 2.0 authorisation with OpenIDConnect to provide an identity layer for authentication and Single Sign-On (SSO) capability to IPAF application users through their IPAFID. Using a separate identity server users are able to carry their credentials to all Client Apps that are granted relevant permissions. The Data Service API uses the PKCE (Proof Key for Code Exchange) flow for additional security in protecting user identity.

OAuth 2.0

A brief guide to the OAuth authorisation flow;

1. The user, in the external app or service, uses a feature that requires data from the Data Services API.
2. The external service seeks authorisation to access the API, within the specified scopes, on behalf of the user.
3. The user is directed to the IPAFID account login screen, if they are not already logged in, and prompted to log in.
4. The user is directed to the authorisation URL for the authorisation server. This displays a screen that prompts the user to grant access to their data.
5. If the user grants access, the user is directed to the callback URL with an authorisation code.
6. The app makes a POST to the token URL for the authorisation server, exchanging the authorisation code for an access and refresh token.
7. The access token can now be used to access the Data Service APIs for the authorised app/service site on behalf of the user. This can be used until the token expires (which can be renewed with the refresh token) or is revoked.

PKCE Flow

Here is a visual representation of how the Data Services API handles auth requests using the Proof Key for Code Exchange protocol.

OpenIDConnect

Open ID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients (apps accessing the DS API) to verify the identity of the End-User based on the authentication performed by an Authorisation Server (IPAFID SSO), as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. For more details visit the OpenIDConnect site.