Understanding OAuth Access Tokens
OAuth is an open standard for authorization. OAuth allows users to share their private resources stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site for specific resources and for a defined duration. This allows a user to grant a third-party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.
Digital River Connect APIs grant the following OAuth token types:
Limited Access Token—A limited access token only grants you access to the Shopper APIs that do not require a consumer context. This token allows you to send API requests against resources that are not shopper-protected. However, you are limited to non-protected resources. A limited access token is considered an authenticated token; however, it is not an authorized token that provides full access.
Full Access Token—To access all the features of the Shopper APIs, you need to get an authorized token. A full access token is only granted when the shopper explicitly allows your application to access their personal data. The shopper is the only one who can grant this token. This is accomplished by sending the shopper to the Global Commerce (GC) platform for authentication. After a shopper identifies themselves and explicitly grants your application permission to access their protected resources, your application has access to the full API.
Valid Token Types
The OAuth specification defines the available application type as follows:
- Public—Applications are incapable of maintaining the confidentiality of their credentials or securely authenticating by any other means. For example, a public application includes those executing on a device used by the resource owner, such as installed native applications. All calls use an HTTP Basic Authentication header, with the client ID (API key) as the username; the secret key is never used.
- Confidential—Applications are capable of maintaining the confidentiality of their credentials, or are otherwise capable of secure client authentication. An example of a confidential application includes a client implemented on a secure server. All calls are done with an HTTP Basic Authentication header, with the client ID (API key) as the username and the secret key as the password.
See Public Versus Confidential Application Flows for more information.
The following table indicates which token types allow access to a resource.
✓–A check mark indicates the token type provides access to a resource.
✗–A cross mark indicates the token type does not provide access to a resource.
*–If a method has token requirements that differ from the other methods within a resource, the method is explicitly listed in the table.
Access Token TTL
The access token time-to-live (TTL) limits the lifespan of the access token. When using TTL, consider the following:
- The default value is 24 hours.
- By default, tokens remain valid for the same duration as Digital River-hosted storefront pages.
expires_in property is the TTL value for the access token. An application can store a valid access token and re-use it until it expires.