-
Notifications
You must be signed in to change notification settings - Fork 146
Using OAuth
To enable OAuth on the LRS (it is not set by default), make sure the OAUTH_ENABLED flag in settings is set to True. If you aren't yet a registered user on the LRS, you must first register as one to be able to register a client(/XAPI/register). The following paragraphs will go into more detail about both OAuth1 and OAuth2 workflows.
###OAuth1
After you do, to create an OAuth1 client visit the OAuth client registration page (/XAPI/regclient). You will be asked to supply a client name, description, and if you're using your RSA Signature workflow, that as well. Once your client has been registered, you will be assigned a Client Identifier and Client Shared-Secret.
-
Request (GET) the temporary credentials at the Request Token (/XAPI/OAuth/initiate) endpoint (your headers should contain at minimum the oauth_consumer_key (client identifier), oauth_signature_method, scope, oauth_callback, and oauth_signature parameters). For more on what parameters are required and optional, please view the Oauth1a spec. Also note that scope is not included in the OAuth1 spec, it is exclusive to the xAPI spec.
-
The LRS will respond with the oauth_token, oauth_token_secret and oauth_callback_confirmed.
-
Your client should redirect you to the LRS auth endpoint (/XAPI/OAuth/authorize) with the oauth_token. Here you will confirm the scope of the client and give it permission to act on your behalf.
-
The LRS then redirects you back to your client, via your oauth_callback, with the oauth_token and oauth_verifier. If you used 'oob' (out of band) as your oauth_callback the LRS will instead generate the oauth_verifier and ask you to input it into your client).
-
Your client should then make a GET request to the LRS access token endpoint (/XAPI/OAuth/token) with at least the following headers: oauth_consumer_key, oauth_token, oauth_signature_method, oauth_verifier, oauth_signature.
-
The LRS validates the request, and if successful returns the oauth_token and oauth_token_secret.
-
You are then free to make authorized requests by including at minimum the following headers: oauth_consumer_key, oauth_token, oauth_signature_method, and oauth_signature.
##OAuth2 (Authorization Code Grant flow)
-
The client makes a GET request to the OAuth2 request endpoint (/XAPI/oauth2/authorize) with at least the following parameters: response_type, client_id, and scope.
-
The LRS validates the request and confirms the scope. If validated, the LRS redirects the user back to the client, via the redirect_uri, with at least the code value.
-
The client makes a POST to the access token endpoint (/XAPI/oauth2/access_token) with the following parameters: grant_type, code, redirect_uri, client_id.
-
The LRS responds with the access_token, token_type, expires_in and optional refresh_token.
-
You are free to make authorized requests with the client on behalf of the user by including "Bearer <access_token>" in the HTTP authorization header.
View our OAuth examples [here] (https://github.com/adlnet/experienceapi_client_examples).