Authentication and Authorisation

The Saasu API supports 2 forms of authentication, namely authentication keys and OAuth 2. Authentication keys are what were used in older versions of Saasu API are are still supported but will eventually be phased out in favour of OAuth 2.

Authentication keys (wsAccessKey and FileId)

This method of authentication has been in use in the Saasu API since its inception and requires the specification of the following query parameters:

  • wsAccessKey This is an access key generated by the Saasu application and can be retrieved by going to the 'Settings - Web Services' option in the Saasu web application.
  • FileId This is the Id of your file you are trying to access via the API can be retrieved by going to the 'Settings - Web Services' option in the Saasu web application.

For example, http://api.saasu.com/contacts?wsAccessKey=34A88520A8244D2FA1DBFECC34677E3B&FileId=12345

Please note:This authentication mechanism will be phased out sometime in the future, however more information on this can be found here around its use with the older API.

OAuth 2 Authentication flow

OAuth 2 basic authentication flow requires that you first obtain an access token and a refresh token. Once these are obtained you then only need to use the dynamically generated access token to access the API. Periodically, this access token will expire and you will use the refresh token to obtain a new access token, and continue using the API.

Grant types, access tokens and refresh tokens

The OAuth 2 specification (full specification here) lists various grant types that can be used to obtain an access token. Currently the Saasu API only supports the password credential grant (Details here)

Password credential grant flow

If using the Saasu supplied .Net client, this flow is taken care of for you, however other clients will need to implement this flow to be able to use OAuth 2.

  1. The client must first issue a HTTP POST to https://api.saasu.com/authorisation/token which contains the following content in the body: "grant_type": "password", "username":"johndoe", "password":"ABC123", "scope":"full" so that the entire post looks something like
                             POST /token HTTP/1.1
                             Host: api.saasu.com
                             Content-Type: application/json
    
                            {  
                              "grant_type":"password",
                              "username":"username@test.com",
                              "password":"password",
                              "scope":"full"
                            }
                        
  2. Assuming the client is authenticated correctly with the username and password, then the server responds with a the data corresponding to an access_token, refresh_token, and expires_in values similar to what is shown below
                             HTTP/1.1 200 OK
                             Content-Type: application/json;charset=UTF-8
                             Cache-Control: no-store
                             Pragma: no-cache
                             {
                               "access_token":"2YotnFZFEjr1zCsicMWpAA",
                               "token_type":"example",
                               "expires_in":3600,
                               "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
                               "scope","FileId:12345 FileId:65432 FileId:98765"
                             }
                        
  3. The client can then use the access_token in subsequent requests to the API by embedding the access token into each HTTP request using the Authentication header and the Bearer identifier to signnify a token type as shown in the example below.
                             GET /contacts HTTP/1.1
                            Host: api.saasu.com
                            Authorization: Bearer yourAccessTokenGoesHere
                        
  4. The access token will typically expire in a short time as indicated by the expires_in parameter in the initial grant request. This parameter is an indicator in seconds, of when the access token will expire. The client can either wait for the token to expire, or pre-emptively request the access token be refreshed by issuing a HTTP POST request to authorisation/refresh endpoint and specifying a grant_type of refresh_token and a parameter of refresh_token with the actual refresh token originally issued. This is shown in the example below:
                             POST authorisation/refresh HTTP/1.1
                             Host: api.saasu.com
                             Content-Type: application/json
                             {  
                              "grant_type":"refresh_token",
                              "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
    }                        }
                        
    This will return the same response as the initial access token request.

Scope

OAuth 2 also supports the notion of a scope parameter when making the initial grant request. Currently Saasu API does not support any incoming scope parameters but may do so in the future.

Saasu does return the list of file id's that the user has access to via the scope when returning the response to the intial grant request. The file id's will be space separated as part of the scope value as shown in the following example:

                    HTTP/1.1 200 OK
                    Content-Type: application/json;charset=UTF-8
                    Cache-Control: no-store
                    Pragma: no-cache
                    {
                    "access_token":"2YotnFZFEjr1zCsicMWpAA",
                    "token_type":"example",
                    "expires_in":3600,
                    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
                    "scope","FileId:12345 FileId:65432 FileId:98765"
                    }
            

Authentication flow