StatPro Revolution Web API


Authorization using OAuth2


Introduction

The StatPro Revolution Web API uses the OAuth 2.0 Authorization Framework for user authentication and authorization.

OAuth 2.0 significantly improves upon older authentication methods such as HTTP Basic Authentication and HTTP Digest Authentication in that:-

  1. a user isn't required to submit his/her credentials to client applications;
  2. users are in control of their authorizations, and can revoke access by an application at any time;
  3. target Resource Servers (such as the Revolution Web API) don't have to validate user credentials and check user permissions on each and every request, significantly improving their speed of operation.

OAuth 2.0 improves upon OAuth 1.0 in that the use of Bearer Access Tokens and the mandated use of HTTPS endpoints means that the complexities of cryptographic signatures (required by OAuth 1.0) are removed. OAuth 2.0 is rapidly becoming the de facto way of providing authentication and authorization for secure Web APIs.

There can be no doubt that the use of OAuth2 adds significant conceptual overhead over and above (say) HTTP Basic Authentication, where all an app needed to specify was the following request header:-

Authorization: Basic base64(username:password)

The good news is that:-

  • once learned for one API, OAuth2 knowledge can be applied to all compliant APIs;
  • StatPro's implementation of OAuth2 is based on the final OAuth2 specifications (as opposed to drafts);
  • StatPro's implementation is based on a clearly-defined subset of the OAuth 2.0 Framework specification.

The following Topics pages should be read in the following order, to gain a full understanding of OAuth 2.0 authorization for the Revolution Web API.


Authorization topics

Overview

Registering a client application

Server-Side Web applications

Native applications

Batch applications

Tenancy selection and tenancy information

Using Data Feed User accounts for batch access


Last updated: January 2017


To Top