Authorisation with OAuth2
Page under cnstruction
In order for an application (mostly a mobile app) to be able to access (protected)
data of Graz University of Technology,
in future
OAuth2 will
be used to authorise access and no longer the input of username and
password, which are actually used to authenticate the person.
Necessary steps for app developers
-
App developers must contact the ZID to have the app registered.
-
The app will be added to the list of registered apps after appropriate
agreements or contracts have been concluded, specifying, for example,
the maximum data the app is allowed to access.
-
The provider is assigned a Client ID and a Client Secret.
Necessary steps for users
After installation on the end device (e. g. a smartphone), the app
must be activated for access:
-
The user is redirected to the SSO page
(the OpenID Connect Provider) of TU Graz when starting the app for the first
time (or when the access or refresh token has expired) and logs in there
including the second factor.
-
If this registration is successful, the app is assigned an authorisation code.
The app can then (automatically) exchange this authorisation code for an
access token by specifying the client ID and the client secret (authorisation
code flow).
From this point on, the app authorises itself to the server with this Access
Token - the app itself never needs a user name and password, but each access
can still be clearly traced back to a client (the app) and the specific user.
-
Via "Connected applications and services" in TUGRAZonline, it is then
possible to control exactly which data is transmitted to the app, but access
can also be revoked again (e. g. if the device has been stolen).