StatPro Revolution Web API
Authorization using OAuth2
The StatPro Revolution Web API uses the OAuth 2.0 Authorization Framework for user authentication and authorization.
OAuth 2.0 significantly improves upon older authentication methods such as HTTP Basic Authentication and HTTP Digest Authentication in that:-
- a user isn't required to submit his/her credentials to client applications;
- users are in control of their authorizations, and can revoke access by an application at any time;
- target Resource Servers (such as the Revolution Web API) don't have to validate user credentials and check user permissions on each and every request, significantly improving their speed of operation.
OAuth 2.0 improves upon OAuth 1.0 in that the use of Bearer Access Tokens and the mandated use of HTTPS endpoints means that the complexities of cryptographic signatures (required by OAuth 1.0) are removed. OAuth 2.0 is rapidly becoming the de facto way of providing authentication and authorization for secure Web APIs.
There can be no doubt that the use of OAuth2 adds significant conceptual overhead over and above (say) HTTP Basic Authentication, where all an app needed to specify was the following request header:-
Authorization: Basic base64(username:password)
The good news is that:-
- once learned for one API, OAuth2 knowledge can be applied to all compliant APIs;
- StatPro's implementation of OAuth2 is based on the final OAuth2 specifications (as opposed to drafts);
- StatPro's implementation is based on a clearly-defined subset of the OAuth 2.0 Framework specification.
The following Topics pages should be read in the following order, to gain a full understanding of OAuth 2.0 authorization for the Revolution Web API.
Last updated: January 2017