question

John Borelli avatar image
John Borelli asked ·

Difference in oauth2 implementation for ring central

Hi, api wizards!

I've worked with OAuth2 to facilitate authentication with dozens of api's in PHP (ver 5.2 through 7.3), however, there seem to be some differences with how RingCentral uses OAuth and I'm struggling to get authentication to work.

  • I can't seem to identify how to specify permissions. Normally they're expressly listed in the authorize call. Are they implied by the user credentials in this case or am I missing how to set that request?
  • API docs give a longer than usual list of parameters as form data parameters but specify that the auth request is to be a GET action, no POST parameters allowed...so I'm confused by that.
  • One of my attempts in Postman returned the message, "No redirect uri is registered for the client". Is there a place that the uri might be specified first (before the auth call, possibly in the app...sandbox in this case) and I'm missing it?
  • Speaking of Postman, it would be much easier if someone had, or could share, the configuration in Postman for the auth leg. I'm sure the token request and refresh cycles won't be a problem from there...I just have to work out the auth leg and a Postman config would really simplify that...if so, THANK YOU!!!


Thanks in advance for all advice and/or help!



authenticationoauth2
1 |1500 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Anirban avatar image
Anirban answered ·

Let me try to provide you details by breaking it down.

For Authorization your application needs to define the authentication type.

For example, if your application supports Password flow type authentication, you can easily get the access token in a single oauth call.

url: https://platform.devtest.ringcentral.com/restapi/oauth/token  (in case of dev) 

Method: POST 

Body: username=+<your phone number>&password=<your password>&extension=101&grant_type=password

In response you will get the access_token and can use that to call all RingCentral APIs


If your application supports Authorization code which is also referred to as a "3-legged authorization flow"

You have to get the access_token in 2-3 steps

url: https://platform.devtest.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=<your callback url>&client_id=<your client id>&display=page&prompt=

Now if for example your callback or redirect uri is https://www.getpostman.com/oauth2/callback then

then your Authorization flow first step will be:

url: https://platform.devtest.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=https://www.getpostman.com/oauth2/callback&client_id=<your client id>&display=page&prompt= 

Method: GET

Now this redirect uri should be also mentioned in your application in OAuth Redirect uri

1607934397443.png

Note: you can give any url you like, but it should be same here in the application config as well in Authorization flow url redirect_uri


"No redirect uri is registered for the client" can comes if the API dont find the same redirect uri in application defined.

Once you hit the Authorization flow url with GET method (in browser), the API will take you to the Authorization page view permission. You can see the permission which you mentioned in your question "I can't seem to identify how to specify permissions. "

You need to Authorize the application and browser is then redirected to the "Redirect URI" you’ve provided in the request. Some thing like this:

https://app.getpostman.com/oauth2/callback?code=<Your code>


Once you get this code in url, you can use this code to exchange access_token in next API call as below:

url: https://platform.devtest.ringcentral.com/restapi/oauth/token  

Method: POST 

Body: client_id=<your client id>&code=<the code you got in previous step in browser> &redirect_uri=https://www.getpostman.com/oauth2/callback&grant_type=authorization_code


And now you will get your access token


Your question on "API docs give a longer than usual list of parameters as form data parameters but specify that the auth request is to be a GET action, no POST parameters allowed. "

I have mentioned the steps, url and their method GET/POST. Hope you can now able to resolve any issue you are getting


1607934397443.png (8.5 KiB)
1 |1500 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

John Borelli avatar image
John Borelli answered ·

@Anirban,

Thank you so much! This answers a lot and the thorough explanation is very helpful. One question about the 'password flow' then, because I think (it sounds like) I may have been getting docs mixed up between that and the three legged course.

For this integration anyway, it's for one specific app and only them, and it's only going to be for basic contact details to push into Infusionsoft (CRM/Marketing SaaS). So it sounds like I can just use that approach without any concern...or is there something I might be missing?


Thanks so much again, you're awesome!

1 comment
1 |1500 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Password flows are easy to implement. The application required user's credentials and the whole process can be done in single steps and very useful in private applications used with an organisation.

However for public application outside the organisation where there will be large number of users involved example web application or public webservice, Authorization flows are considered to be more secure as it will grant permission to user's account each time without exchanging user's credentials with 3rd party.

Which kind of Oauth grant type is suitable, you can check here: https://developers.ringcentral.com/guide/authentication

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.