oAuth without user interaction

Question

I am in the process of linking another API with our Cloudbeds API. I am a bit lost with the oAuth for this API as my goal is to somehow interact with Cloudbeds without human interaction as I would run the script via a cron.

Is it possible/if so how to have oAuth and userless interaction

Answer 1

There's one OAuth 2.0 flow that does not require any kind of human intervention; the client credentials grant. As illustrated in the image there is no separate resource owner involved in the flow, because the client application acts on its own behalf.

^{(source: API Auth: Client Credentials Grant)}

The most common scenario for this is when the client application wants to only access resources under its control, although the specification also mentions that it could in theory be requesting access to resources under the control of another resource owner; a real user.

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

^{(emphasis is mine, source: section 4.4 of OAuth2 RFC)}

Another possibility is to require a one-time interaction with the user and then use refresh tokens to be able to continue to perform requests on behalf the user without further interactions; either forever or until the user revokes that access. The authorization code grant with a client application that can use refresh tokens would be suitable for this.