Open Authorization (OAuth for short) is an industry standard for token-based authorization on the internet. MinistryPlatform supports several OAuth 2.0 workflows and also serves as a Security Token Service (STS) provider. MinistryPlatform is also a client and can support other token providers such as Facebook or Google.

Discovery

The discovery url can be found by adding an "oauth" subfolder to the ministryplatform url. For example:

https://example.ministryplatform.com/ministryplatform/oauth/

The discovery url will display various end-points, scopes, and response-types supported by MinistryPlatform's OAuth implementation.

General Use

• User chooses to login using STS provider
• User is redirected to provider’s login page
• STS provider authenticates user
• User is redirected back to original application along with an Access Token
• Access Token is passed in Authorization Header of each subsequent request in order to gain access to Resources

OAuth and MinistryPlatform

• MinistryPlatform acts as an STS provider
  • Login using the platform's login UI
  • Get an Access Token using the platform
  • Utilize OAuth workflows using the platform
  • Authorization uses existing Security Roles to determine access
• MinistryPlatform acts as an STS consumer
  • Configure the platform to login using Facebook (and other OAuth providers)
  • Theoretically, login to Facebook using the platform!
• BatchManager and CloudTools
  • Use Client Credentials workflow
  • Authorization uses existing Security Roles

Workflows

Client Credentials

• Allows client application to have access without storing a user name or password anywhere
• Can be used to provide data to an end user whether they are logged-in or not
• Best choice for 99% of your application development
• Client-specific user assignment

See API & Identity Pages  and Giving Developers Access

Implicit Grant

• Can allow application to be developed entirely in client-side JavaScript
• Assumes end user has significant rights within MinistryPlatform
• Access Token belongs to the end user

Authorization Code

• Similar in end-user experience to Implicit Grant
• Redirects user to authorization server

Resource Owner

• Assumes your client application has (or can collect) the end user’s credentials
• Could be used like Client Credentials if you have a safe place for your application to store the user name and password (not recommended)

See Administering Users and Working With 3rd Party Developers

See Also

• REST API
• Swagger
• API Wrapper
• External Login Authentication
• API & Identity Pages

Additional Documentation

• OAuth Official documentation - https://oauth.net/ 
• Oracle's documentation including workflow diagrams - docs.oracle.com
• ITNext OAuth 2.0 for beginners - https://itnext.io/