Authentication
Supported methods of authentication:
- HTTP Basic authentication as an auth header using the client ID and secret for server to server actions.
- OAuth bearer tokens
OAuth
Registered client applications can make use of an OAuth 2.0 ‘code’ flow using Proof Key for Key Exchange, or, server to server applications can use the ‘client_credentials’ flow. Access tokens are signed JWTs, refresh tokens are supported. There is a brief outline below but the RFCs should be consulted for full implementation details.
- RFC6749 The OAuth 2.0 Authorization Framework
- RFC7636 Proof Key for Code Exchange by OAuth Public Clients (PKCE)
- RFC7519 JSON Web Token (JWT)
- RFC8252 OAuth 2.0 for Native Apps
Client registration
If you have a suitably privileged user you can set up an oauth2 application here.
Obtaining authorisation
An authorisation grant can be obtained by kicking off the process with a
call to the auth endpoint /oauth2/auth making sure to include PKCE
parameters. The user will be prompted to login if required and if all is well
an authorisation grant code will be returned to the client by ua redirection.
Note that the ‘client_credentials’ grant flow does not use this step.
Note that the scope parameter is mandatory in our implementation,
ats_recruiter, ats_channel, or ats_candidate. As well as defining the
access scope we use it to determine which login page to display.
Obtaining tokens
The authorization grant code can then be exchanged by the client application
for an access token and a refresh token at the /oauth2/token endpoint.
Clients using the ‘client_credentials’ flow should supply their service account
login details via the HTTP basic authentication header instead.
The access token has a lifetime of 10 minutes and can be used to access resources, the refresh token generally has a lifetime of 60 minutes and can be used to obtain further tokens. A new refresh token is issued when it is used to give session timeout functionality, the timeouts and policies may vary by client system.