Principles꞉ Authentication - Fastway-Couriers-South-Africa/myFastway.ApiClient GitHub Wiki
Endpoint
| Country | Endpoint | Verb | Paging | Description |
|---|---|---|---|---|
| ZA | https://identity.myfastway.co.za/connect/token | POST | returns bearer token |
To obtain a token, you will require a client_Id, secret and scope to authenticate
client_id: obtained from myfastway website under Admin | API
secret: obtained from myfastway website under Admin | API
scope: is determined by country
| country | scope |
|---|---|
| South Africa | ac-api-za |
Recommended practice for authentication
The API is secured using the Oauth2 Client Credentials flow. A token with a default lifetime of 60 mins is return after authenticating against /connect/token endpoint of the Security Token Server.
The recommended practice for authentication is to:
- Make a call to the API
- Check the response status code (401 indicates missing or expired token)
- If a 401 response is returned:
- obtain a new token via the /connect/token endpoint
- retry initial call
- further errors are indicative of a more serious error, at this point the retry loop should exit
Using Discovery
The easiest way to wire up Authentication is to use Identity Server Token Validation helper library. A token can be retrieved is a few lines of code:
var discoveryClient = new DiscoveryClient(authority) {
Policy = new DiscoveryPolicy { RequireHttps = true }
};
var disco = await discoveryClient.GetAsync();
var tokenClient = new TokenClient(disco.TokenEndpoint, clientId, secret);
return (await tokenClient.RequestClientCredentialsAsync(scope)).AccessToken;
Using HttpClient
The HttpClient method requires more setup, the key points being:
- Setting the content type to application/x-www-form-urlencoded
- Parsing the result to return the access_token
var content = new StringContent($"grant_type=client_credentials&client_id={clientId}&scope={scope}&client_secret={secret}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");
var response = await httpClient.PostAsync($"{authority}/connect/token", content);
if (response.IsSuccessStatusCode) {
var result = await response.Content.ReadAsStringAsync();
return JObject.Parse(result)["access_token"].ToString();
}
return null;
Using Postman
selecting OAuth2 drop down from the authorization type
allows you to provide a token url, client_id and secret
Selecting Request token, then Use Token will embed a bearer authorization header into your request
Using Postman (form encoded)
Using the (bearer) token
Once a token is returned, it needs to be added to each request header, this can be done a number of ways using debugging tools below, but ultimately each request issued to the API should have an Authorization header:
Authorization: bearer [your token]
Using OAuth2 in postman
Within Authorization, select 'OAuth2' and click 'Get New Access Token' you will be prompted with a 'Get New Token' dialog (see above). Upon retreiving a token, it will automatically be set in the header
Setting bearer token in postman
Within Authorization, select 'Bearer' and populate the bearer dialog with your token, it will automatically be set in the header
Manually setting the header in fiddler
Add a line to the header with Authorization: bearer [your token]
