Authorisation with OAuth2

Page under cnstruction

In order for an application (mostly a mobile app) to be able to access (protected) data of Graz University of Technology, in future OAuth2 will be used to authorise access and no longer the input of username and password, which are actually used to authenticate the person.

Necessary steps for app developers

  1. App developers must contact the ZID to have the app registered.
  2. The app will be added to the list of registered apps after appropriate agreements or contracts have been concluded, specifying, for example, the maximum data the app is allowed to access.
  3. The provider is assigned a Client ID and a Client Secret.

Necessary steps for users

After installation on the end device (e. g. a smartphone), the app must be activated for access:
  1. The user is redirected to the SSO page (the OpenID Connect Provider) of TU Graz when starting the app for the first time (or when the access or refresh token has expired) and logs in there including the second factor.
  2. If this registration is successful, the app is assigned an authorisation code. The app can then (automatically) exchange this authorisation code for an access token by specifying the client ID and the client secret (authorisation code flow).
    From this point on, the app authorises itself to the server with this Access Token - the app itself never needs a user name and password, but each access can still be clearly traced back to a client (the app) and the specific user.
  3. Via "Connected applications and services" in TUGRAZonline, it is then possible to control exactly which data is transmitted to the app, but access can also be revoked again (e. g. if the device has been stolen).