Overview
Authentication and authorization are critical for ensuring secure access to Vodafone’s APIs. Depending on the API you are working with, Vodafone provides several methods to verify identity and grant access:
Terminology
Vodafone's API documentation follows the official OAuth 2.0 and Three-Legged OAuth Flow specifications to describe the various actors involved in the authentication and authorization process:
|
Term |
Description |
|---|---|
|
Resource Owner |
The Vodafone customer or end-user who owns the data and provides consent for the Client Application to access APIs on their behalf. |
|
Client Application |
An app created on the Vodafone Developer Portal to access APIs on behalf of the Resource Owner with their authorization or consent. These apps include sandbox or production apps for testing and development. |
|
Authorization Server |
The API Gateway Authorization Server , responsible for authenticating the Client Application and issuing Access Tokens or Authorization Codes. |
|
Resource Server |
The server hosting Vodafone's APIs. It validates the Access Token and serves the requested resources. |
|
Consumer Key |
A unique identifier for the Client Application, used for authentication with the Authorization Server. |
|
Consumer Secret |
A secret key paired with the Consumer Key, used for securely authenticating the Client Application when requesting tokens. |
|
Access Token |
A token issued by the Authorization Server that allows the Client Application to access specific APIs. This token is included in the Authorization header for API calls. |
|
Authorization Code |
A temporary code issued to the Client Application during the Three-Legged OAuth Flow, exchanged for an Access Token. |
|
Scope |
Defines the level of access granted to the Client Application. Scopes determine which APIs and resources the token allows access to. |
|
Token Endpoint |
The endpoint on the Authorization Server where the Client Application exchanges credentials or Authorization Codes for an Access Token. |
|
Bearer Token |
A type of Access Token used to authenticate requests to the Resource Server. It is included in the Authorization header of API requests. |
|
Grant Type |
The method used by the Client Application to obtain an Access Token. Examples include client_credentials, authorization_code, and urn:openid:params:mc:grant-type:ciba. |
|
Basic Authentication |
An authentication method where the Client Application provides its Consumer Key and Consumer Secret encoded in Base64 in the Authorization header. |
|
OAuth 2.0 |
A framework enabling secure access to Vodafone’s APIs via Access Tokens. It supports multiple grant types for flexibility in authentication and authorization. It is described in the OAuth 2.0 Authorization Framework standard (RFC 6749). |
|
Three-Legged OAuth Flow |
An OAuth 2.0 flow involving the Resource Owner, Client Application, and Authorization Server, requiring user consent to access sensitive resources. It is described in the OAuth 2.0 RFC 6749, section 4.1. |
|
Client-Initiated Backchannel Authentication (CIBA) |
A flow where the Client Application initiates authentication via a backchannel. The Resource Owner authenticates via an out-of-band method. |
|
Auth Request ID |
A unique identifier (auth_req_id) issued during the CIBA flow. The Client Application uses this to exchange for an Access Token after the Resource Owner authenticates. |
