WORKSECTION

OAuth 2.0

How OAuth 2.0 works

The Work­sec­tion API addi­tion­al­ly uses the OAuth 2.0 pro­to­col for autho­riza­tion. The OAuth 2.0 autho­riza­tion plat­form pro­to­col is described in https://​data​track​er​.ietf​.org/​d​o​c​/​h​t​m​l​/​r​f​c6749

We sup­port the flow of autho­riza­tion code from the OAuth stan­dard.
OAuth 2.0 autho­riza­tion procedure:


Use­ful materials:
  1. SDK library to sim­pli­fy the work with our API.
  2. OAuth 2.0 library for easy work with the Work­sec­tion OAuth 2.0.
  3. Method col­lec­tions in Post­man.

Was this article helpful? Yes, thank you! No

OAuth 2.0 basic settings

To set up autho­riza­tion, click on your avatar, go to your account set­tings, API section. 



To use OAuth 2.0 autho­riza­tion, you need to reg­is­ter and con­fig­ure the Work­sec­tion API appli­ca­tion. Each appli­ca­tion has its own unique client id and client secret, which will be used in the OAuth stream.

The con­fig­u­ra­tion win­dow of any application: 


Was this article helpful? Yes, thank you! No

Authorization code OAuth 2.0

To start the authorization process, the user should click on the link in your app, which will direct them to the URL:

https://worksection.com/oauth2/authorize
The authorization URL must contain the required parameters:

PARAMETERDESCRIPTION
client_id
client_id, received when creating the application.
response_type
Customize the response, return the authorization code. Always specify code.
redirect_uri
URI where the response will be redirected. The URI must meet the requirements of the OAuth2 standard and use the HTTPS protocol.
state
A random text string that will be included in the response to your application at the end of the OAuth stream. The main purpose is to prevent CSRF requests from being spoofed.
scope
OAuth permissions help you fine-tune which data in the Worksection your application will have access to. This parameter is transferred in the form of strings separated by a space or comma. List of available scopes: projects_read, projects_write, tasks_read, tasks_write, costs_read, costs_write, tags_read, tags_write, comments_read, comments_write, files_read, files_write, users_read, users_write,contacts_read, contacts_write, administrative.

Was this article helpful? Yes, thank you! No

Authorization code processing OAuth 2.0

After click­ing on the autho­riza­tion URL at the first stage, the user is redi­rect­ed to the Work­sec­tion login page if they have not yet logged in: 


or to the user selec­tion page if the user has already been authorized: 



After suc­cess­ful autho­riza­tion, the user is redi­rect­ed to the access con­fir­ma­tion page:


If the user grant­ed access on the approval page, they will be redi­rect­ed to redirect_​uri with the code para­me­ter.
Please note that the autho­riza­tion code is valid for 10 minutes.

Was this article helpful? Yes, thank you! No

Access token OAuth 2.0

Access data can be obtained by making a POST request to the URL of the token with the authorization code:

https://worksection.com/oauth2/token
The POST request must contain the required parameters:

PARAMETERDESCRIPTION
client_id
client_id, received when creating the application.
client_secret
client_secret, received when creating the application.
grant_type
Always specify the authorization_code.
code
The authorization code you received in the previous step.
redirect_uri
URI where the response will be redirected. The URI must meet the requirements of the OAuth2 standard and use the HTTPS protocol.

CURL example:

curl -X POST -d "client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&code=<authorization_code>&redirect_uri=<redirect_uri>"
https://worksection.com/oauth2/token 
Example response:

{
    "token_type": "bearer",
    "expires_in": 86400,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJh...",
    "refresh_token": "def502005534a202e9e8effa05cdbad564015604f34...", "account_url": "https://authorizeduseraccount.worksection.com"
}
The received access_token and refresh_token will be used in subsequent requests to access the API and update the access_token. The access_token is valid for 24 hours, the refresh_token is valid for 1 month.

Was this article helpful? Yes, thank you! No

Using an access token OAuth 2.0

Each request to the API via OAuth2 protocol must be made over HTTPS with an access token, which must be passed in the authorization header or in the access_token parameter. For all requests, you need to use the basic URL:

https://youraccount.worksection.com/api/oauth2
For example, using the get_tasks API method to get the tasks of a particular project:

curl -X GET -H "Authorization: Bearer <token_value>"
https://youraccount.worksection.com/api/oauth2?action=get_tasks&id_project=193
You will get a response similar to:

{
    "status": "ok",
    "data": [
        {
            "name": "T0",
            "page": "/project/193/13036/",
            "status": null,
            "priority": "1",
            "user_from": "Marcus Wright",
            "user_to": "Marcus Wright",
            "from_me": 0,
            "to_me": 0,
            "date_added": "2023-03-10 16:41",
            "date_start": "2023-03-15",
            "date_end": "2023-03-23",
            "child": [
                {
                    "name": "T0.1",
                    "page": "/project/193/13036/13037/",
                    "status": null,
                    "priority": "1",
                    "user_from": "Marcus Wright",
                    "user_to": "Marcus Wright",
                    "from_me": 0,
                    "to_me": 0,
                    "date_added": "2023-03-10 16:41"
                }
            ]
        }
]
}
Each access token is valid for 24 hours. Then you need to refresh it with refresh_token or get a new one.

Was this article helpful? Yes, thank you! No

Access token update OAuth 2.0

Once the access token becomes invalid, it needs to be refreshed. You can do this by using the refresh_token (obtained in the /oauth2/token method) and sending a POST request to the following URL:

https://worksection.com/oauth2/refresh
The POST request must contain the required parameters:

PARAMETERDESCRIPTION
client_id
client_idreceived when creating the application.
client_secret
client_secretreceived when creating the application.
grant_type
Always specify the value of refresh_token.
refresh_token
The refresh token that was received in the /oauth2/token method.

 
CURL example:

curl -X POST -d
"client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>"
https://worksection.com/oauth2/refresh
Example response:

{
    "token_type": "bearer",
    "expires_in": 86400,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1...",
    "refresh_token": "def50200365724c970b6cea5eeecfed28...", "account_url": "https://authorizeduseraccount.worksection.com"
}
The refresh request returns a new access token and a refresh token, which will invalidate the old tokens.

Was this article helpful? Yes, thank you! No

Getting information about OAuth 2.0 user

You can also use the access_token to get more information about the user, if necessary. You need to send a POST request to the URL:

https://worksection.com/oauth2/resource
The POST request must contain the required parameters:

PARAMETERDESCRIPTION
client_id
client_id, received when creating the application.
client_secret
client_secret, received when creating the application.
access_token
The access token that was obtained in the /oauth2/token method.

CURL example:

curl -X POST -d
"client_id=<client_id>&client_secret=<client_secret>access_token=<access_token>"
https://worksection.com/oauth2/resource
Example response:

{
   
"id": "11",
   
"first_name": "John",
   
"last_name": "Smith",
   
"email": "[email protected]", "account_url": "https://authorizeduseraccount.worksection.com"
}

Was this article helpful? Yes, thank you! No
esc
или
Print