Skip to main content

Authentication

Introduction

Weightron.Cloud is secured with an OpenID Connect implementation with the OAuth 2.0 authorization protocol. All API requests require a valid Access Token, retrieved from the OIDC Auth server.

The auth server URL is https://auth.weightron.cloud/oidc (https://auth.weightron.cloud/oidc/.well-known/openid-configuration).

Please contact an authorized reseller for creation of access credentials. Client Credentials (Client ID, Client Secret, and API Key) will be provided by the reseller after generation. The Client Secret should be stored in a secure location and not shared with other parties, integrations, or applications.

Supported Authentication Flows

Authorization Code (w/ PKCE)

The OAuth Authorization Code flow is used when authenticating using User login credentials and a server-side application via a browser. The user logs in to the auth server via your application. The Auth server will provide an Authorization Code, which can be exchanged for an Access Token. See Access Permissions.

A refresh token can also be requested with the offline_access scope, if the user has granted it.

note

Implementing applications must provide atleast 1 redirect URI for the creation of the OIDC client credentials, and a valid redirect URI must be provided during the OAuth flow. A list of allowed cross-origin domains may also be provided for browser-based applications.

Client Credentials

Client Credentials is a flow for machine-to-machine authentication. The Client ID and Client Secret can be exchanged directly for an access token, without user intervention. See Access Permissions.

Access Permissions

Access permissions in the API are determined by the roles assigned to the user (when using Authorization Code flow), or roles assigned to the OIDC Client (when using Client Credentials flow).

Typically a bespoke role is created for the integration, which will heavily limit the possible operations to those requested. Additional permissions may be requested from the reseller at the time of credentials generation, and can be updated at any point after generation as required.

Requests

All secured requests will require the Authorization header, containing a bearer access token from one of the authentication flows:
Authorization: Bearer ...

Unauthenticated requests, or requests with an invalid token, will yield a 401 error with an appropriate error message. See Error Responses.

OIDC credentials can only be linked to one application, and API requests using OIDC credentials will only be possible to the linked application. If the user has access to multiple applications, multiple OIDC credentials will be necessary.