What is OAuth 2.0?
OAuth 2.0 is a special type of connection that is ubiquitous in integration development. OAuth 2.0 allows your customers to authorize your integration to perform certain functions on their behalf, without needing to give you their username or password. For example, customers can authorize your integration to fetch their Salesforce leads, create Slack channels, or generate Quickbooks invoices for them.
You've probably come across OAuth 2.0 at some point - any time you click "Log in with my Google Account" or "Connect my Dropbox" on a website, that website leverages OAuth 2.0 to fetch information (your email address, files, etc) on your behalf. You don't enter your Google or Dropbox credentials into the website. Instead, you enter your credentials on a Google, Dropbox, etc. page and the OAuth provider generates a unique code that grants the website a set of your permissions.
With Prismatic, you can offer your customers a single "Connect to Acme" button in your integrations' config wizards, and your customers can seamlessly grant you permission to their accounts in other platforms. Prismatic's OAuth 2.0 service takes care of generating authentication URLs, handling token exchange and token refresh, and ensuring that up-to-date keys are available to your instances when they run.
Why use OAuth 2.0?
OAuth 2.0 has some advantages over other authentication mechanisms (like basic auth):
- OAuth 2.0 provides your users with a seamless authentication experience. They just need to click a "connect" button and then select "I approve" on a permissions consent screen, and the OAuth service takes care of the rest.
- Permissions are granular. Your customers can grant you permission to do specific tasks in their account, like "read Salesforce leads" or "write Slack messages". This gives customers peace of mind.
- Customers don't need to hand you their credentials. They don't enter a username and password for a third-party in your app. Instead, they authenticate with the third-party app, and your app is handed an access token with granular permission to do specific tasks. It's fine if they change their third-party password; they don't need to log in to your app and change their integration configuration, too.
- Tokens can generally be revoked at any time. Most apps have a screen that displays what apps have access to their account, where they can see things like Acme has read access to your Dropbox files. Those screens generally have a "revoke access" button
OAuth 2.0 grant types
The OAuth 2.0 framework supports several grant types, three of which are common for B2B integrations:
- Most common is the Authorization Code grant type. When one of your customers configures an integration, they click a "Connect to Dropbox" or "Connect my Salesforce" button. After logging in to the external app and consenting to give you permissions to their account, the user returns to a Prismatic callback URL, where the auth code they brought back is exchanged for an access token that you can use to access their data.
- The Client Credentials grant type is also common in integrations. Sometimes called the machine to machine (M2M) grant type, this process is a little more involved for your customer. They log in to their third-party app, generate a Client ID / Client Secret key pair, and enter their key into your integration's config wizard. That key pair is exchanged for an access token for the third-party app.
- While officially deprecated, the Password grant type prompts a user for their username and password for a third-party app. That username and password are exchanged for an access token.