Reputation: 4613
Consume Workday REST API with oAuth 2.0 in .NET MVC
I am trying to call the Workday REST API in my .NET MVC application and am having trouble with the oAuth 2.0 aspect of it. Although in my case I am talking about Workday in particular, I think what I am not understanding can apply to any oAuth 2.0 enabled API. I am trying to use the Authorization Code Grant type.
My understanding of the flow for oAuth 2 is as follows:
1) I send a GET request to an authorize endpoint
2) The user has to log in using their credentials
3) At this point, a response is sent from the API with the Authorization Code Grant in the reponse
4) Now I can make a POST request to exchange the Authorization Code for an Access Token
5) I response is sent back with an Access Token
6) Now I can freely use that Access Token to make GET requests
Conceptually I understand this just fine, but technically, I am getting tripped up moving from step 1 to step 2:
I assume I make the GET request in step 1 from my server (since CORS policy won't allow it to come from my front-end). In that case, I have noticed that the response I get from the api is html with the login page on it. What is a typical process, then, for passing that html to the front-end, having the user login and then moving on to step 3.
Furthermore, there is a field called Redirect URL in the API client configuration, which I assume is where the API will send the response with the Authorization Code Grant, and I also assume should be an action on my controller, but how do I get and consume that response on my page?
I hope this all makes sense.
I can't seem to wrap my head around this.
Upvotes: 2
Views: 8551
Answers (1)
Reputation: 713
The two authorization flows supported for the Workday REST API are:
- implicit grant
- authorization code grant
and each authorization flow can use either type of access token:
- bearer token
- MAC token
You will use the authorization flow and the token type that you specified when you registered your client (using the Register API client task on WD).
During the initial authorization request, the current user will be presented with a login page for the tenant, if not already logged in, and will be presented with a consent page, asking to approve or deny access to Workday resources, if using the client for the first time. From that point onward, your API client will have access to Workday resources as the grant would be approved. You should not have to re-approve the grant.
Basically this would be a one off exercise to create your authorisation flow, and from then on you can use your tokens in the headers of your requests.
Highly recommend that you read through the complete documentation on oAuth for WD Api here https://community.workday.com/rest/oauth
With regards to the redirection uri, you can read more here of what it is and why it is necessary https://www.rfc-editor.org/rfc/rfc6749#section-3.1
Upvotes: 2
Related Questions
- C# API OAuth Consumption
- How to authenticate to Workday API in .net core?
- Unable to get access token from Workday's OAuth2 token endpoint
- How to consume a web api with oauth2 authorization using ASP.net MVC?
- How to write OAuth2 Web API Client in Asp.net MVC
- Workday - Setup OAuth Client
- OAuth v2.0 in combination with ASP.NET MVC 4 Web API
- Authentication for MVC4 Web Api
- Web api open oauth(DotNetOpenAuth) mvc 4
- ASP.NET Web API with DotNetOpenAuth