In my application, I have many companies accounts. I'm using django-oauth-toolkit and I gonna to add access to my API by request from a specific company.
I have a few endpoints like:
GET /api/users/
- return all company users
GET /api/documents/
- return all documents owned by users from given company
I wonder which authorization grant type should I use:
Client type: Confidential
Authorization grant type options:
Can anyone tell me which one type is the best in my case and why?
You should use resource owner password-based
grant:
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.
Flow :
The client will ask the user for their authorization credentials (ususally a username and password).
The client then sends a POST request with following body parameters to the authorization server:
grant_type
with the value password client_id
with the the client's ID client_secret
with the client's secret scope
with a space-delimited list of requested scope permissions. username
with the user's username password
with the user's password The authorization server will respond with a JSON
object containing the following properties:
token_type
with the value Bearer expires_in
with an integer representing the TTL of the access token access_token
a JWT signed with the authorization server's private key refresh_token
an encrypted payload that can be used to refresh the access token when it expires.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.