OpenID Connect & OAUTH2 standards
For authentication and authorization, we make use of the OpenID Connect (authentication) and OAUTH2 standards. The best way to understand what all this is about is to read the actual RFC's:
How do we use this in Linckr
In Linckr we make use of AWS Cognito as an Identity Provider that follows the above standards. In Linckr we currently support two types of authentication flows:
- Authorization Code Flow + PKCE is a user based flow that is used for the web application and mobile application.
- Client Credentials Flow is a machine-2-machine flow that is used for trusted services that need to access the Linckr API, without the need for a user to be present.
When using the Client Credential flow the client id and secret are used to authenticate the client. This means that the client id and secret must be treated as a password and must be stored in a secure way on a backend system. The client id and secret must never be exposed to the end user. Please contact Linckr immediately when the clientId and secret are compromised.
A member that authenticates with the Authorization Code Flow can be part of many organisations, however a member that
authenticates with the Client Credentials Flow can only be part of one organisation. This measure was taken to limit
the exposure when a client id and secret are compromised.
Postman collection
In the following Postman examples you can see how to use the above flows to authenticate and authorize against the Linckr API. During the onboarding process you will receive a client id that you can use to access the Linckr API.