What's OAuth2 ?
OAuth 2 is the industry-standard protocol for authorization. OAuth defines four roles:
Resource Owner: User Client: Application Resource Server: hived Authorization Server: Hivesigner
The implicit grant flow basically works as follows: the user is asked to authorize the application, then the authorization server passes the access token back to the application. The implicit grant type is used for mobile apps and web applications where the client secret confidentiality is not guaranteed. This flow does not authenticate the identity of the application, and relies on the redirect URI to serve this purpose.
Step 1: Implicit authorization link
With the implicit grant type, the user is presented with an authorization link, that requests a token from the API. This link looks like this:
Step 2: User authorizes application
When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize the application to post on their behalf.
Step 3: Application receives access token
If the user clicks authorize the application, the service redirects the user to the application redirect URI, which was specified during the client registration, along with an access token. The redirect would look something like this (assuming the application is "example.com"):
For get offline permission you need to use the code authorization flow and add scope "offline" along with the other permission you need. You would send your user to a page like this:
https://hivesigner.com/oauth2/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&scope=offline,comment,vote,comment_option,custom_jsonYou will then receive a code which can be used to get a
refresh_token. Refresh token does not expire and you can create
access_tokenanytime with it. With the code you will need to send request to Hivesigner API at
https://hivesigner.com/api/oauth2/token?code=THE_CODE_YOU_GOT&client_secret=YOUR_APP_SECRETThis request must be made from your server, don't make your app secret public. Also its recommended to send code and secret inside body of a POST request, instead of GET request with url param.
Scopes provide access to certain operation. The application service should only request scopes it requires.
Verify Hive identity
Allow posting operations
Once the application has an access token, it may use the token to access the user's account or broadcast posting operation via the API, limited to the scope of access, until the token expires or is revoked.
Here is an example of an API request, using
curl. Note that it includes the access token:
curl -H "Authorization: ACCESS_TOKEN" https://hivesigner.com/api/me
Broadcast a transaction
Here is an example POST request, using access token to broadcast a vote for user: