Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

This design would allow us to support other OAuth "Authorization Code Grant" providers in the future.

API

authenticated usersPOST /v3/oauth/:vendorId
body{"authCode":"<authCode>"}
if auth code provided in postget access and refresh tokens
no authCode provided, accessToken exists, not expiredreturn access token
no authCode provided, accessToken exists, expiredrefresh access token, return new access token
401no authCode, no accessToken, or an error
200{"vendorId":"vendorId","accessToken":"<accessToken>","expiresOn":"<ISO 8601 timestamp>"}


Get method that returns health codes for accounts that have given Fitbit authorization (at some point). These might be some kind of minimal grant object as well (OAuthGrant[healthCode, accessToken, expiresOn]).

workersGET /v3/studies/:studyIdentifier/oauth/:vendorId?pageSize=x&offsetKey=y
200{"items":["healthCode1","healthCode2"], "requestParams": {...}, "type":"ForwardOnlyCursorPagedList"}


workersGET /v3/studies/:studyIdentifier/oauth/:vendorId/:healthCode
if access token exists and is not expiredreturn access token
if access token exists and is expiredrefresh token and return refreshed token
401anything else (should only be an error from Fitbit)
200{"vendorId":"vendorId","accessToken":"<accessToken>","expiresOn":"<ISO 8601 timestamp>"}

OAuthService

MethodDescription
requestAccessToken(OAuthAuthorizationToken authToken) : OAuthAccessTokenretrieves the access token, making the necessary requests to the OAuth provider to refresh or whatever
getHealthCodesGrantingAccess(StudyIdentifier studyId, String vendorIdentifier, int pageSize, String offsetKey) : ForwardCursorPagedResourceList<String>retrieve all the health codes for accounts that have granted access to the OAuth provider at some point. They should all have refresh tokens and access tokens.
getAccessToken(StudyIdentifier studyId, String vendorIdentifier, String healthCode) : OAuthAccessTokenretrieves an access token for the individual health code, making the necessary requests to the OAuth provider to refresh or whatever.

There's going to be some other classes that aren't that interesting:

  • OAuthProvider
  • OAuthAccessGrant
  • DynamOAuthAccessGrant
  • OAuthAccessGrantDao
  • DynamoOAuthAccessGrantDao

These are pretty standard design-wise.

DynamoDB Tables

Study
Map<String,OauthProvider> oauthProviders (mapped to their vendor identifier

Seems trivial enough to include in study.

OAuthProvider
String clientId
String secret
String endpoint
String redirectUrl (maybe)
String state (maybe)

RedirectUrl and state... Fitbit documentation says that if these are provided by the client in the authorization step they have to be provided in this step and they have to match exactly. Or maybe they only have to match exactly if they are provided. We'll sort it out.

OAuthAccessGrant
String studyId:vendor (hashKey)
String healthCode (rangeKey)
String accessToken
String refreshToken
Long createdOn
Long expiresOn
OAuthAccessToken
String vendorId
String accessToken
DateTime expiresOn
OAuthAuthorizationToken

String vendorId
String authToken

  • No labels