OAuth 2.0

OAuth 2.0 is available for API clients. OAuth is "an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications". Socialcast added this functionality to remove the need for third party clients to store passwords. Instead, the OAuth enabled client applications use an access token to authenticate. This token can be used to perform a limited set of actions your behalf, but doesn't permanently provide full access to your account. In the event that an authorized application is compromised, attackers can't access the user's plain text password and the compromised tokens can be revoked at any time.

Client Registration

To register a custom app for your community, please refer to the documentation for the Community Apps Manager.

To register a global app that will be available in all communities, please contact support@socialcast.com with the following details:

Upon successful registration, you will receive the following information from Socialcast:

Determining Community Domain

By default, API clients should present the user with the centralized authorization endpoint at:

https://api.socialcast.com/oauth2/authorization

This enhanced authorization endpoint allows many users to log in to any of their Socialcast communities, provided these communities:

Upon successful authorization, Socialcast will append a "community_domain" argument to the OAuth 2 authorization response (see Authorization Code and Implicit grant types) containing the domain you can use to redeem an authorization token (see the Authorization Code grant type) and make other API requests (see Accessing Protected Resources).

Other Cases

Unfortunately proper delegation to other identity providers and integration with private cloud or behind the firewall deployments requires API clients to use the full community domain when accessing OAuth 2.0 authorization endpoint. This is the same domain that would appear in a browser's URL bar after you have logged in to a community. To help verify that a particular domain is a valid communty domain, OAuth 2.0 compatible versions of Socialcast provide a "check" method that does not require prior authorization at:

http://COMMUNITY_DOMAIN/oauth2/check

For example, the following request:

GET /oauth2/check HTTP/1.1
Host: demo.socialcast.local
Accept: */*

will return something similar to the following JSON:

{
  "tenant": "Foobar Inc",
  "service_type": "Socialcast",
  "protocol_type": "OAuth2"
}

Note: the value of "tenant" will be null if the server is OAuth2 compatible, but the domain provided does not correspond to a tenant.

Supported Flows

Authorization Code Grant - See Section 4.1 of Draft 16. This flow is suitable for applications which can make cross-domain HTTP requests, such as web, mobile, or desktop applications.

Implicit - See Section 4.2 of Draft 16. This flow is recommended for clients which cannot make cross-domain requests or keep secrets such as in-browser JavaScript applications.

Summary of Authentication Phases

Authorization Code Implicit
Phase 0: Obtain Authorization Code Yes No
Phase 1: Obtain Access Token Yes Yes
Phase 2: Access Protected Resources Yes Yes
Phase 3: Refresh Access Token Yes No