User Login

If your app is single-user, you don’t need use OAuth 2.0 to get Access Tokens and identify users, because you got a valid Access Token in the App Registration process, however you still need read about Security and Privacy considerations.

If your app is multi-user, you will need use OAuth 2.0 to get Access Tokens and identify users. Let’s go!:

topoos provides two different OAuth 2.0 flows for user access and identification:

  • server-side (also known as code-flow authentication in the protocol specification)
  • client-side (also known as implicit flow).

The server-side flow is used when you need to perform operations on the topoos API from a secured web server.

The client-side flow is used when you need to make calls to the API from a client as a native mobile application or a desktop application, where security is weaker.

Beyond the chosen flow, the topoos OAuth 2.0 protocol implementation requires three distinct steps:

  1.  User Authentication
  2.  Approval of the application
  3.  Application Authentication

User authentication ensures that the user is who he claim to be. The application authorization ensures that the user knows exactly what data and capabilities are being provided to your application. Finally application authentication ensures that the user is giving his information to your application and no one else.

When these steps are completed, the application receives a access_token (also called OAuth token) that allows access to user information and make actions on his behalf.

In topoos, the OAuth 2.0 protocol implementation requires the token expires often. Because of this, in server-flow is provided a Refresh Token with the Access Token. You can use this Refresh Token to get another valid Access Token when the expiration time is reached.

Select the appropiate flow for your app and continue reading about it:

  • Read about Server-Flow (recommended if you have a web-server).
  • Read about Client-Flow (recommended for using in non-secure devices).

If you need special scope like requesting user email, offline access or user profile data, we recommend read this guide: Requesting special scope