Authorizing Requests

  1. Overview
  2. Login with OAuth2
  3. Implicit Grant
  4. Authorization Code Grant
  5. Authorization Code Grant (JWT)
  6. Request to Avaya Spaces
  7. Anonymous Guest User

1 Overview

All requests to the Avaya Spaces API must be include an authorization token. To obtain this token a user must be authenticated with Avaya Cloud Identity. A third party developer can authenticate with Avaya Cloud Identity by registering as a client application of Avaya Spaces. Once registered OAuth2 will be used to authenticate users and obtain a token for authorized requests to Avaya Spaces.

Note: Recently Google has ended support for OAuth2 flow through web-views on Android and IOS as well as equivalents on Windows and OS X. Since Avaya Cloud Identity offers Google SSO option for users to sign in, authentication may fail for users using this login option. Seehere for more information.

2 Login with OAuth2 using "authorization_code"

To gain access to a user's Avaya Cloud account and make requests to Avaya Spaces on their behalf we must direct them to login to Avaya Cloud Identity using the registered client ID.

1. The user should be navigated to this URL (scope request should be one string: 'scope1, scope2, scope3'):
https://[avayacloud_accounts_url]/oauth2/authorize?client_id=[client_id]&redirect_uri=[redirect_uri]&scope=[scope]&response_type=code&access_type=offline&grand_type=authorization_code&state=0client_id&redirect_uri=redirect_uri&response_type=response_type&access_type=access_type&scope=https%3A%2F%2Faccounts.avayacloud.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Faccounts.avayacloud.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Faccounts.avayacloud.com%2Fauth%2Fzangspaces&state=0
client_id
The client ID that was registered
redirect_uri
The redirect URL that was registered
response_type
'code' (for authorization code)
access_type
offline'
scope
'https://accounts.avayacloud.com/auth/userinfo.email https://accounts.avayacloud.com/auth/userinfo.profile https://accounts.avayacloud.com/auth/zangspaces'
state
Optional but recommended. A csrf token that adds additional security to prevent unauthorized requests (csrf).

ScopeProduction (https://accounts.zang.io/auth)Testing (https://www.onesna.com/auth)
Email/userinfo.email /userinfo.email
User/userinfo.profile /userinfo.profile
Spaces/zangspaces /logan

2. Click the "Accept" button

3. The OAuth2 client predefined redirect_uri will get the code that is to be exchanged for an access_token and id_token, e.g.:

4. To exchange the code received above for the access, id and refresh tokens, the OAuth2 client should call the following URL:

https://[avayacloud_accounts_url]/oauth2/access_token
with following data in application/x-www-form-urlencoded format using the POST method:
client_id=[client_id]&client_secret=[client_secret]&grant_type=authorization_code&code=[code]&redirect_uri=[redirect_url]
, and this call will return the access_token, id_token,refresh_token
https://[redirect_uri]/?state=0&code=d41d8cd98f00b204e9800998ecf8427e
Example using POSTMAN:
URL: https://accounts.avayacloud.com/oauth2/acces_token

Method: POST

Format: application/x-www-form-urlencoded

Post Body:

client_id:3443rlk5vfue3kasaw4wa

client_secret:ABC1234556677567r765765

code:3542523535

grant_type:authorization_code

redirect_uri:https://localhost:3000

5. Use the id_token to get basic user information from the token by performing a GET request on the URL:

https://[avayacloud_accounts_url]/api/1.0/id_token/get_token_info?id_token=[id_token]
Example of the response:
{
   "access_token":"943C2423CA4FC6CF0218A90DE713A044083CB3A4",
   "scope":"https://onesna.com/auth/userinfo.email https://onesna.com/auth/userinfo.profile https://onesna.com/auth/userinfo.logan",
   "expires_in":3599,
   "refresh_token":"04FCC12745AA32279A5883D11F2EE4CD1ACB13A3",
   "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkX3NpZyI6Im5YeGFKUW0wblZJWnVPXzgwQ3VMZmxJeUd3RXNaS3h6dF9Mbk9sZnphR00iLCJwcm9kdWN0X3R5cGUiOiJhY2NvdW50cyIsImxhc3R1cGRhdGV0aW1lIjoiMjAyMC0wNy0wN1QwNzozMjo0MS4zMzgiLCJpc3MiOiJhdmF5YWNsb3VkLmNvbSIsInB1YmxpY2tleWlkIjoiYWd4emZtOXVaWE51WVRJd01UUnlHZ3NTRFVkS2QzUlFkV0pzYVdOTFpYa1lnSURRdWN5Z3ZnZ00iLCJleHAiOjE1OTY3MTg4NzIsInVzZXJfaWQiOiJhZ3h6Zm05dVpYTnVZVEl3TVRSeUVRc1NCRlZ6WlhJWWdJRFF1Wl9zMVFzTSIsInZlciI6IjIuMCJ9.pXmv-YKgtH_MI5AOdZjy8mApUOCLsajFT6woVjA2ec55dPDX5krL0oK6tVzSXHMCzO4e4GrSVmH7DkDQymJah3ETSMG-NG2l4Cjdv4Vxzk6A8ugr_Sp-84RXTZnvtXzIjyNmLh6O07li3mxuPhYPoxDVmgqKIeWaSmstkwLi0mYQsA3aqjdihWjeH1zrNgxLvjSAIh3Aj9JcOjKkRakuLSe8x18QTdWLjQtKYyzvoe8c31cGYyoAsxmMi8ClZUA7ZOS3EjEgGXPQ9aw8PzXUuwuRYyySIaajp-iPjwIgXOrq4DKZZDMDCMzjj967zpsUohQ34y8v0q"
}

6. The access_token will expire in one hour. You can call the API to get a new one like so:

URL: https://[avayacloud_accounts_url]/oauth2/access_token

Method: POST

Format: x-www-form-urlencoded

Post Body:

client_id:[client_id]

client_secret:[client_secret] 

grant_type:[refresh_token]

refresh_token: [refresh_token]

7. To call all other Spaces APIs, use the access_token with Bearer Authorization. For example, if your access_token is 76731740bc9341692e94de76d8f6d355, the POSTMAN call to API would look like the example below:

URL: https://[avayaspaces_url]/api/users/me

Method: GET

Post Body:

Authorization: Bearer 76731740bc9341692e94de76d8f6d355
You should receive a response that looks like this:
{
  "name": {
    "familyname": "User",
    "formatted": "",
    "givenname": "Test",
    "honorific_prefix": "",
    "honorific_suffix": "",
    "middlename": "",
    "pronunciation": "",
    "pronunciation_url": ""
  },
  "aType": "user",
  "permissions": ["USERSELF_PERMISSION_GROUP", "IT_ADMIN_PERMISSION_GROUP"],
  "_id": "5f04250caa4a347af9946e06",
  "ndbid": "agxzfm9uZXNuYCIwMTRyEQsSBFVzZXIYgIDQuZ_s1QsM",
  "addresses": [],
  "displayname": "Test User",
  "emails": [
    {
      "value": "testuser@avaya.com",
      "type": "",
      "primary": true,
      "label": "",
      "relationdef_id": "agxzfc9uZXNuYTIwMTRyGAsSC1JlbGF0aW9uRGVmGICA0Pmf4cMKDA"
    }
  ],
  "gender": "",
  "languages": [{ "code": "en-US", "primary": true }],
  "lastupdatetime": "2020-07-07T07:32:41.338Z",
  "licenses": [
    {
      "service_type": "zangspaces_business",
      "product_type": "zangspaces",
      "expiration": "2300-05-01T16:00:00.000Z",
      "parent_type": "company",
      "trial": false,
      "purchased_license_ndbid": "agxzfm7uZXNuYTIwMTRyHQsSEFB1cmNoYXNlZExpY2Vuc2UYgICg2MOdtwoM"
    }
  ],
  "phone_numbers": [],
  "relation_graphs": [
    {
      "relationdef_id": "agxzfm4uZXNuYTIwMTRyGAsSC1JlbGF0aW9uRGVmGICA0Pmf4cMKDA",
      "initiator_id": "5697db96283a4718c4f786f6",
      "initiator_type": "company",
      "relation_type": "employee"
    }
  ],
  "timezone": "",
  "username": testuser@avaya.com",
  "picture_url": "https://accounts.zang.io/norevimages/noimage.jpg",
  "profile": {
    "name": {
      "familyname": "User",
      "formatted": "",
      "givenname": "Test",
      "honorific_prefix": "",
      "honorific_suffix": "",
      "middlename": "",
      "pronunciation": "",
      "pronunciation_url": ""
    },
    "displayname": "Test User",
    "username": "testuser@avaya.com",
    "phone_numbers": [],
    "picture_url": "https://accounts.zang.io/norevimages/noimage.jpg",
    "addresses": [],
    "gender": ""
  }
}

When the user lands on this page they will be asked to login with one of the following methods:
  • Avaya Cloud account
  • Google account
  • Office365 account
  • Salesforce account
  • Avaya account

After logging in they will be redirected once more to https://accounts.avayacloud.com/oauth2/authorize/confirm where they will choose to allow or deny the following permissions to your application:

  • View and update user email information
  • View user detail information
  • Call Avaya Spaces APIs

3 Login with OAuth2 using "password"

1. Using OAuth2 password grant type, the OAuth2 client should call the following API, see POSTMAN example below:

URL: https://accounts.avayacloud.com/oauth2/acces_token

Method: POST

Format: application/x-www-form-urlencoded

Post Body:

client_id:[client_id]

client_secret: [client_security]

grant_type: password

username:[username]

password:[userpassword]

scope: [scope]
The above post call will return access_token,id_token, refresh_token.

2. Use the id_token to get basic user information from the token by performing a GET request on the URL 

https://[avayacloud_accounts_url]/api/1.0/id_token/get_token_info?id_token=[id_token]
Example of the response:
{
   "expires_in": 3202,
   "audience": "client_id",
   "user_id": "85136c79cbf9fe36bb9d05d0639c70c265c18d37",
   "user":{
      "username": "test@user.com",
      "first_name": "Test",
      "last_name": "User",
      "id":"85136c79cbf9fe36bb9d05d0639c70c265c18d37",
      "picture_url": "https://onesnatesting.esna.com/norevimages/noimage.jpg"
   },
   "issuer": "esna.com"
}

3. The access_token will expire in one hour. Refreshing it can be done in exactly the same manner as in "authorization_code" call, refer to its paragraph 6

4. Calling all other Spaces APIs is the same as in "authorization_code" call - please refer to its paragraph 7 .