Jump to content

OAuth server-side non-Invision API authentication

Go to solution Solved by Stuart Silvester,

Recommended Posts

A lazy ask since I haven't done enough research yet.  

My community is acting as IDP.  My custom web-application, henceforth PoCApp, successfully navigates the OAuth flow to authenticate the user against Invision.  Now PoCApp makes API calls to PoCAPI.  PoCAPI is separate from Invision.  PoCAPI should leverage the bearer token to authenticate and authorize the user for the API call.  Is there a standard approach for PoCAPI to communicate with Invision to validate the authentication?  I'm suspecting I need to write an addon API (introspection endpoint) to Invision that PoCAPI will call to do the validation but am curious if there is something hiding or some overloading of the OAuth endpoints will get me what I need.  PoCAPI will call a separate authorization engine once the authentication is validated.  

Thank you for helping me overcome the brain block!

Edited by HarpGamer
Link to comment
Share on other sites

  • Solution


You have a few options really depending on your set up and preferences

You could:

  • Add a custom app to Invision Community that adds REST API endpoint and passes requests through to your API after validation.
  • Call the /api/core/me endpoint to see if you get an authenticated response with the token.
  • If you have database access, you could use that to look up the access token and access scopes, this would probably be quicker due to less reliance on HTTP requests.

In any of these scenarios you would need to account for access tokens expiring.

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...