Hi, api wizards!
I've worked with OAuth2 to facilitate authentication with dozens of api's in PHP (ver 5.2 through 7.3), however, there seem to be some differences with how RingCentral uses OAuth and I'm struggling to get authentication to work.
- I can't seem to identify how to specify permissions. Normally they're expressly listed in the authorize call. Are they implied by the user credentials in this case or am I missing how to set that request?
- API docs give a longer than usual list of parameters as form data parameters but specify that the auth request is to be a GET action, no POST parameters allowed...so I'm confused by that.
- One of my attempts in Postman returned the message, "No redirect uri is registered for the client". Is there a place that the uri might be specified first (before the auth call, possibly in the app...sandbox in this case) and I'm missing it?
- Speaking of Postman, it would be much easier if someone had, or could share, the configuration in Postman for the auth leg. I'm sure the token request and refresh cycles won't be a problem from there...I just have to work out the auth leg and a Postman config would really simplify that...if so, THANK YOU!!!
Thanks in advance for all advice and/or help!
Thank you so much! This answers a lot and the thorough explanation is very helpful. One question about the 'password flow' then, because I think (it sounds like) I may have been getting docs mixed up between that and the three legged course.
For this integration anyway, it's for one specific app and only them, and it's only going to be for basic contact details to push into Infusionsoft (CRM/Marketing SaaS). So it sounds like I can just use that approach without any concern...or is there something I might be missing?
Thanks so much again, you're awesome!
Password flows are easy to implement. The application required user's credentials and the whole process can be done in single steps and very useful in private applications used with an organisation.
However for public application outside the organisation where there will be large number of users involved example web application or public webservice, Authorization flows are considered to be more secure as it will grant permission to user's account each time without exchanging user's credentials with 3rd party.
Which kind of Oauth grant type is suitable, you can check here: https://developers.ringcentral.com/guide/authentication
Let me try to provide you details by breaking it down.
For Authorization your application needs to define the authentication type.
For example, if your application supports Password flow type authentication, you can easily get the access token in a single oauth call.
url: https://platform.devtest.ringcentral.com/restapi/oauth/token (in case of dev) Method: POST Body: username=+<your phone number>&password=<your password>&extension=101&grant_type=password
In response you will get the access_token and can use that to call all RingCentral APIs
If your application supports Authorization code which is also referred to as a "3-legged authorization flow"
You have to get the access_token in 2-3 steps
url: https://platform.devtest.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=<your callback url>&client_id=<your client id>&display=page&prompt=
Now if for example your callback or redirect uri is https://www.getpostman.com/oauth2/callback then
then your Authorization flow first step will be:
url: https://platform.devtest.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=https://www.getpostman.com/oauth2/callback&client_id=<your client id>&display=page&prompt= Method: GET
Now this redirect uri should be also mentioned in your application in OAuth Redirect uri
Note: you can give any url you like, but it should be same here in the application config as well in Authorization flow url redirect_uri
"No redirect uri is registered for the client" can comes if the API dont find the same redirect uri in application defined.
Once you hit the Authorization flow url with GET method (in browser), the API will take you to the Authorization page view permission. You can see the permission which you mentioned in your question "I can't seem to identify how to specify permissions. "
You need to Authorize the application and browser is then redirected to the "Redirect URI" you’ve provided in the request. Some thing like this:
https://app.getpostman.com/oauth2/callback?code=<Your code>
Once you get this code in url, you can use this code to exchange access_token in next API call as below:
url: https://platform.devtest.ringcentral.com/restapi/oauth/token Method: POST Body: client_id=<your client id>&code=<the code you got in previous step in browser> &redirect_uri=https://www.getpostman.com/oauth2/callback&grant_type=authorization_code
And now you will get your access token
Your question on "API docs give a longer than usual list of parameters as form data parameters but specify that the auth request is to be a GET action, no POST parameters allowed. "
I have mentioned the steps, url and their method GET/POST. Hope you can now able to resolve any issue you are getting
A new Community is coming to RingCentral!
Posts are currently read-only as we transition into our new platform.We thank you for your patience
during this downtime.
Try Workflow Builder
Did you know you can easily automate tasks like responding to SMS, team messages, and more? Plus it's included with RingCentral Video and RingEX plans!Try RingCentral Workflow Builder
