Developers use Application Programming Interfaces (APIs) to access various resources, including cloud, database, network, and information stored in the social media sites. Access control has to be in place to prevent resources from being hacked and compromised. Therefore, authentication and authorization processes are needed to ensure that a user access only the data and services he / she is allowed to.

The traditional client-server authentication and authorization model often uses username and password mechanism. However when users provide their password to an application, the application get access to not only the data  it needs, but all other data in the users’ account. It’s a risk for the users and extra liability for the application developer.

OAuth 2.0 is an industry standard authorization protocol that enables applications to access protected resources without getting into the complexity of the traditional model. Whether you develop Web applications or mobile apps, OAuth will save you time and energy by allowing you to use an authorization layer with an access token mechanism. Having a standardized authorization protocol greatly improves developers’ productivity.

For developers accessing the AT&T Network and services, the AT&T API Platform provides a rich set of APIs they can leverage. Since each API requires an access token provided by the AT&T OAuth 2.0 service, developers are required to register with the AT&T Developer Program first. Registration enables developers to obtain client credentials for using OAuth 2.0 service.

4 Steps for Integrating Your App with the AT&T OAuth 2.0 Service

Here are the steps developers can follow to integrate their apps:

1. Specify the API that your app will use.

2. Specify the scope for the API.

    • Scope information includes CMS (Call Management), DC (Device capabilities), TL(location), IMMN & MIN (In App Messaging), MMS (MMS), Payment (Payment), SMS (SMS), SPEECH (Speech) and WAP (WAP Push).
    • OAuth scopes must all be upper-case letters. You may get an HTTP 403 Forbidden error when you attempt to use an API if your original scope request has lower-case letters.

3. For the APIs that require the consent of the customer — i.e. Location, In App Mobile Messaging and Device Capabilities — use the OAuth authorization code flow

    • Redirect the user’s browser through the Consent Request process
    • Use the authorization code to get an access token
    • Use the access token to access the AT&T API that you wish to use

4. For the APIs that do not require the consent of the customer — i.e. Call Management, MMS, Payment, SMS, Speech, and WAP Push — use the client credentials flow:

    • Call the OAuth API to request an access token
    • Use the access token to access the AT&T API that you wish to use
Examples (Client Credentials Access Token)

Example 1: Getting an access token

POST https://api.att.com/oauth/token

client_id=$my_app_id&client_secret=$my_app_secret&grant_type=client_credentials&scope=SPEECH

Extract an access token from the response

{ “access_token”:”0123456789abcdef”, “expires_in”:”0″, “refresh_token”:”abcdef12345667890″

 

Example 2:  Using an access token

POST /rest/2/SpeechToText HTTP/1.1

Host: api.att.com

Authorization: Bearer 38C2399A23999

Accept: application/xml

Content-length: 5655

Content-Type: audio/amr

X-SpeechContext: BusinessSearch  …audio data…

Now, enjoy coding your apps using the AT&T OAuth Service and APIs.

How important a concern is security in your app development process? What apps are on the horizon for your company?