OAuth Applications
Using The OAuth Applications Screen
Use the Access | OAuth Applications screen to manage the access of mobile, web, and server applications to the Marigold Loyalty Cloud Platform. OAuth is a protocol that lets external apps–the *Client Applications* –request authorization to the Marigold Loyalty Cloud Platform. You can also use OAuth to monitor, manage, throttle, and revoke application access.
Each OAuth Application has the following attributes:
-
Client ID. Enter a publicly exposed string to identify the client application.
-
Client Secret. Enter a string to authenticate the identify of the client application when the client application authenticates with the Marigold Loyalty Cloud Platform. The client application must keep the Client Secret private between the client application and the Marigold Loyalty Cloud Platform. To enhance security, the Oauth Applications screen hides the Client Secret value by default. Click on the ‘Show Secret’ button to view the current of the Client Secret. Click on the ‘Regenerate Secret’ button if you need to create a new value for the Client Secret (e.g. when your Client Secret has been compromised).
-
Redirect URI. Specify the address where the Marigold Loyalty Cloud Platform redirects the client application after a successful authorization.
-
Scope. Specify ‘Member’ (for Member Api scope) or ‘Program’ (for Program API scope)
-
Client Platform. Specify the client platform types, such as ‘ios’, ‘android’, or ‘javascript’.
OAuth 2.0 Authorization Code Flow with PKCE
Previously, Marigold Loyalty has supported a password grant approach wherein a 'Client ID' and a 'Client Secret' are passed to authenticate a user and retrieve an access token to make subsequent requests to the Member API. This approach was able to be exploited if the mobile app or website exposes the API credentials.
The platform now supports more secure client application integrations with Loyalty by enabling OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE). PKCE is used to make OAuth 2.0 Authorization Code Grant type more secure through additional code verification and challenges.
How OAuth 2.0 Authorization Code Grant type works
There are many ways, or grant types, to get an access token from Marigold Loyalty depending on use cases, the client application type, or how secure the client application is. Per OAuth 2.0 specifications, client applications can be classified as either confidential or public. Authorization Code Grant is a grant type commonly used by both confidential client application types, such as traditional web apps or servers, and public client application types, such as single-page apps or native mobile apps; the flow in either case is initiated through the browser. To obtain an access token, the user is redirected from the client application to the Authorization Server (Marigold Loyalty) where the user has to log in and authorize the client application. Upon successful login, an authorization code is generated and returned to the client application through its registered callback URL. This code can then be used to securely request an access token.