Step 1: Determine App Type
AIR MILES uses Auth0 for API user authentication. By identifying your application type, you can easily determine which authentication/authorization method you should be using. Besides the application type, other factors may play a role in deciding which authentication method you will use.
- These could include:
- The level of trust your users have in your application
- The user experience you wish to deliver to your customers
Type A: Mobile & Single Page Applications
Integrate our API with a native mobile app (e.g., for iOS or Android), or a SPA (Single Page Application). This method uses the Authorization Code Flow with PKCE (proof key for code exchange).
Click the button below to request access to this authentication flow.
Sequence Diagram for Authorization Code Flow with PKCE
autonumber "<b>(0) "
skinparam sequenceMessageAlign direction
skinparam ParticipantPadding 20
!theme cerulean
actor "User" as U
participant "Mobile App" as A
collections "Auth0 Tenant" as A0
database "AMRP-API" as API
U -> A : Click login link
note right
Generates **code verifier**
and **code challenge**
end note
A -> A0 : Send "auth code" request + **code challenge** to ""**/authorize**""
A0 -> U : Redirect to login/authorization prompt
U -> A0 : Request user authentication/consent
A0 -> A : Create an **auth code**
A -> A0 : Send **auth code** + **code verifier** to ""**/oauth/token**""
note right
Auth server validates
the **code challenge**/
**code verifier**
end note
A0 --> A : Server responds with **id token** / **access token**
A -> API : Use the **access token** to make API calls to the server
note right: Note: Only API calls that are\nwithin the permitted scope.
API --> A : API responds with requested data
Type B: Regular Web Applications
Integrate our API with a standard web-server application that utilizes a client_id and client_secret (e.g., Express.js, ASP.NET etc.). This method uses the Authorization Code Flow.
Click the button below to request access to this authentication flow.
Sequence Diagram for Authorization Code Flow
sequenceDiagram
autonumber
participant U as User
participant A as Webpage
participant A0 as Auth0 Tenant
participant API as AMRP-API
U->>A: Click login link
A->>A0: Authorization Code request sent to "/authorize"
A0->>U: Redirect to login/authorization prompt
U->>A0: User authentication and consent
A0->>A: Create an Authorization Code
A->>A0: Send Authorization Code + Client ID + Client Secret to "/oauth/token"
A0->>A0: Auth Server validates Authorization Code + Client ID + Client Secret
A0->>A: Server responds with "ID Token" and "Access Token"
A->>API: Access Token used to make API calls (that are within the user's scope)
API->>A: API responds with requested data
Type C: Back-End Systems
Integrate our API with another API platform or a direct M2M (machine-to-machine) connection. (e.g., for CLIs, daemons, and back-end services). This method uses the Client Credentials Flow.
Click the button below to request access to this authentication flow.
Sequence Diagram for Client Credentials Flow
sequenceDiagram
autonumber
participant M as M2M App
participant A0 as Auth0 Tenant
participant API as AMRP-API
M->>A0: Authenticate with Client ID + Client Secret to "/oauth/token"
A0->>A0: Auth Server validates Client ID + Client Secret
A0->>M: Server responds with Access Token
M->>API: Access Token used to make API calls (that are within the user's scope)
API->>M: API responds with requested data