All resource API queries, be it to the Storefront API or Admin API, require a valid access token. The role of the OAuth API is to retrieve tokens that will provide access to the protected resources.
The Authorization Framework
Appibase uses the OAuth 2.0 Authorization Framework (OAuth 2.0), an open specification, to authorize access to protected resources.
Consistent with the Framework, the following roles are defined:
- Authorization Server: the server issuing Access Tokens to the Client application after successfully authenticating the Resource Owner and obtaining authorization. This is the OAuth API.
- Resource Server: the server hosting the protected resources, accepting and responding to protected resource requests using Access Tokens. This would be the API you want to access, namely the Storefront API or Admin API.
- Resource Owner: the entity granting access to a protected resource. This can be an End-User or a Client application.
- End-User: when the Resource Owner is a person, it is referred to as an end-user. This would be represented by Appibase’s user i.e. the User model, or the Storefront’s user i.e. the Customer model.
- Client: the application making protected resource requests on behalf of an End-User or on its own behalf.
- User-Agent: the agent used by the End-User to interact with the Client e.g. a browser or a native application.