Authentication
The bookingtime APIs use the OAuth 2.0 protocol for authentication. This supports common OAuth 2.0 scenarios for single page applications (via Authorization Code Flow) and machine-to-machine communication (via Client Credentials Flow).
Unauthenticated requests are not allowed.
Some endpoints are not user specific and can be queried by anyone. Submitting an OAuth scope has currently no effect.
The base URL of the bookingtime authorization server is https://auth.bookingtime.com
.
The specific implementation of the bookingtime authentication backend is inspired by the behavior of Auth0 and AWS Cognito. This ensures compatibility between the common clients for these systems and the bookingtime backend. There are several example libraries by Auth0, such as OAuth for plain JavaScript or OAuth for React. There are also open-source libraries such as the library of the OpenID project.
Detailed explanations of the supported processes can be found in the following sections. This documentation contains example values for all parameters and responses. Furthermore, the bookingtime SDK includes a ready-to-use authentication library for javascript projects.
Refresh and Access Tokens
The /oauth/token
endpoint returns either a refresh or access token in the response body for the matching grant_type
.
Using a refresh token for API requests is not valid, only access tokens contain the mandatory authorization for successful requests.
Responses are in JSON format and have the following structure:
// grant_type: 'authorization_code', 'client_credentials'
{
"refresh_token": "eyJ0eXAi...UHQ",
"token_type": "Bearer",
"expires_in": 2592000
}
// grant_type: 'refresh_token'
{
"access_token": "eyJ0eXAi...UHQ",
"token_type": "Bearer",
"expires_in": 300
}
By default, the tokens have the following lifetimes
-
refresh token
: 30 days -
access token
: 5 minutes
This approach allows bookingtime to authenticate a user or machine by granting a refresh token in the first step and afterwards authorize the request in its respective context, like a users permissions in a specific organization network.
JWT
Both access_token
and refresh_token
are standardized JSON web tokens(JWT). The bookingtime implementation uses OAuth 2.0 compliant claims.
Refresh Token
{
"jti": "jwt...WdN", "random hash 32chars",
"iat": 1735686000, "timestamp now",
"nbf": 1735686000, "timestamp now",
"iss": "https://auth.bookingtime.com/",
"aud": "https://auth.bookingtime.com/app/", "https://auth.bookingtime.com/module/ for module API",
"exp": 1735686300, "timestamp 5min from now",
"type": "refresh",
"mode": "user|machine|appointment",
"sub": "9d...3Q|70...Yb|...", "user ID, app ID, module ID or appointment ID",
"checksum": "jwt...44", "32 chars hash",
}
Access Token
{
"jti": "jwt...WdN", "random hash 32chars",
"iat": 1735686000, "timestamp now",
"nbf": 1735686000, "timestamp now",
"iss": "https://auth.bookingtime.com/",
"aud": "https://auth.bookingtime.com/app/", "https://auth.bookingtime.com/module/ for module API",
"exp": 1735686300, "timestamp 5min from now",
"type": "access",
"mode": "user|machine|appointment",
"sub": "70...ji", "app or module ID",
"user": { "optional, only if mode = user",
"id": "9d...3Q", "user ID",
"gender": "NOT_SPECIFIED|MALE|FEMAL|OTHER",
"title": "Dr.", "can be empty",
"firstName": "John",
"lastName": "Doe",
"profilePicture": "URL", "URL to an Image, can be empty",
"locale": "de_DE",
"admin": false, "always false, if no organization ID submitted",
},
"appointment": "ed...kX", "optional, only if mode = appointment",
"organization": "f6...gw", "optional",
"permissionList": [ "optional",
"appointmentAdd",
"appointment",
"appointmentCancel",
],
"customEntityTypeList": [ "optional",
"cat",
"dog",
],
}
Discovery documents
To simplify implementations and increase flexibility, bookingtime allows the use of a "Discovery document," a JSON document found at a well-known location containing key-value pairs which provide details about the configuration.
The Discovery document may be retrieved from:
https://auth.bookingtime.com/.well-known/oauth-authorization-server
https://auth.bookingtime.com/.well-known/openid-configuration
This endpoint will contain the JWK used to verify all bookingtime issued JWTs:
https://auth.bookingtime.com/.well-known/jwks.json
Additional references
- more standardized claims: JWT claims maintained by the Internet Assigned Numbers Authority.
Authorization Code Flow
Single page applications use the Authorization Code Flow as specified in section 1.3.1. of RFC6749.
- The user is on a third-party single page application (SPA). To log in, he follows a bookingtime login link.
- The user requests the rendered HTML for the bookingtime authorization frontend from the bookingtime authorization server. The request contains the query parameters
response_type
,client_id
,redirect_uri
andstate
:-
response_type
: The only valid value iscode
. -
client_id
: The ID of your client, as submitted when you register your application. -
redirect_uri
(optional): The link to which the user should be redirected after a successful login process. This parameter is optional. If not set, the default value set during client registration is used. -
state
(optional): Can contain the value of the tamper-proof, unique session token, as well as any other information needed to restore context when the user returns to your application, such as the startup URL.
-
- The user receives the rendered HTML of the registration form from bookingtime.
- The user fills in his login data in an input form and sends it to the authorization server.
- The authorization server validates the credentials and generates a unique, short-lived temporary code (lifetime 5 minutes).
- The user receives a redirect to the previously specified address of the 3rd-party as a response. The link contains the additional query parameters
state
andcode
. - The browser follows the redirect back to the third-party website and makes the query parameters accessible to the third-party SPA.
- The third-party SPA requests a refresh token from the authorization server, using the temporary code (obtained when entering the user credentials in the authorization frontend). The request is a
POST
request with the following application/json encoded parameters:-
grant_type
: The only valid value isauthorization_code
. -
client_id
: The ID of your client, as submitted when you register your application. Must be App or Module ID, according to the API to query. -
code
: The code query parameter you received with the redirect link.
-
- The authorization server returns a refresh token to the user.
- The third-party SPA requests a access token from the authorization server, using the refresh token. The request is a
POST
request with the following application/json encoded parameters:-
grant_type
: The only valid value isrefresh_token
. -
client_id
: The ID of your client, as submitted when you register your application. Must be App or Module ID, according to the API to query. -
refresh_token
: The refresh token you just received. -
organization_id
: The organization ID you want to query.
-
- The authorization server returns a access token to the user.
- The third-party SPA can now make authenticated requests to the bookingtime APIs as long as the access token is valid.
Example of code exchange for a refresh token with cURL:
export var CLIENT_ID=70B9EOUxfSN0p866nCa2zGVKmaaaTEST
export var CODE=aclWYuMCMIeSvf0fL0OxQxXuYgggTEST
curl -X POST \
-d grant_type=authorization_code \
-d client_id=$CLIENT_ID \
-d code=$CODE \
https://auth.bookingtime.com/oauth/token
Example of refresh token exchange for a access token with cURL:
export var CLIENT_ID=70B9EOUxfSN0p866nCa2zGVKmaaaTEST
export var REFRESH_TOKEN=eyJ0...I60
export var ORGANIZATION_ID=f6...gw
curl -X POST \
-d grant_type=refresh_token \
-d client_id=$CLIENT_ID \
-d refresh_token=$REFRESH_TOKEN \
-d organization_id=$ORGANIZATION_ID \
https://auth.bookingtime.com/oauth/token
See the request body schema in our API documentation:
Get Refresh Token for Users
Get Refresh Token for Appointments
Client Credentials Flow
For machine-to-machine communication, the Client Credentials Flow is used as specified in section 1.3.4. of RFC6749.
Please note that this flow must not be used in single page applications (SPAs) and native applications under any circumstances. The client secret must be kept confidential and static client secrets could easily be extracted by third parties!
- A non-browser (e.g. backend service) requests a refresh token from the bookingtime authorization server. Authentication is done either by setting
client_id
andclient_secret
as basic authorization header or by submitting these values in the request body. If the parameters are submitted in both ways, the values in the header are used. The request is aPOST
request with the following application/json encoded parameters:-
grant_type
: The only valid value isclient_credentials
. -
client_id
: The ID of your client, as submitted when you register your application. Must be App or Module ID, according to the API to query. -
client_secret
: This field is required or not available, depending on the addressed API.
App API: The secret of your client, as submitted when requested. How to register applications. Currently only possible, if the app will be created before an organization. Please contact the support for help.
Module API: Not available or empty, both will be accepted.
-
- The authorization server validates the credentials and generates a refresh token.
- The authorization server returns a refresh token to the client.
- The client requests a access token from the authorization server, using the refresh token. The request is a
POST
request with the following application/json encoded parameters:-
grant_type
: The only valid value isrefresh_token
. -
client_id
: The ID of your client, as submitted when you register your application. Must be App or Module ID, according to the API to query. -
refresh_token
: The refresh token you just received. -
organization_id
: (optional) The ID of the organization to query.
-
- The authorization server returns a access token to the client.
- The non-browser client can now perform authenticated requests to the bookingtime APIs as long as the access token is valid.
Example of client credentials to refresh token exchange with cURL:
export var CLIENT_ID=70B9EOUxfSN0p866nCa2zGVKmaaaTEST
export var CLIENT_SECRET=1234567890123456789012345678901234567890123456789012345674444444
curl -X POST \
-d grant_type=client_credentials \
-u client_id:$CLIENT_ID
-u client_secret:$CLIENT_SECRET
https://auth.bookingtime.com/oauth/token
Example of refresh token exchange for a access token with cURL:
export var CLIENT_ID=70B9EOUxfSN0p866nCa2zGVKmaaaTEST
export var REFRESH_TOKEN=eyJ0...I60
export var ORGANIZATION_ID=f6...gw
curl -X POST \
-d grant_type=refresh_token \
-d client_id=$CLIENT_ID \
-d refresh_token=$REFRESH_TOKEN \
-d organization_id=$ORGANIZATION_ID \
https://auth.bookingtime.com/oauth/token
See the request body schema in our API documentation:
Get Refresh Token for Machines
Refresh Token Flow
To obtain a new access token using the refresh token, the Refresh Token Flow is used as described in section 1.5. of RFC6749.
This flow can be used by browsers and non-browser based clients.
- A browser or non-browser requests a refresh token from the bookingtime authorization server. This is done by a
POST
request using the following application/json encoded parameters:-
grant_type
: The only valid value isrefresh_token
. -
client_id
: The ID of your client, as submitted when you register your application. Must be App or Module ID, according to the API to query. -
refresh_token
: The refresh token you got with the authorization or client credential flow. -
organization_id
: (optional) The ID of the organization to query.
-
- The authorization server validates the refresh token and generates a access token.
- The authorization server responds with a access token.
- The client can now make authenticated requests to the bookingtime APIs as long as the access token is valid.
The refresh token will be rejected before expiration in the following cases:
- the user changes his password (see Authorization Code Flow)
- the app/module changes
- the client secret is changed (see Client Credentials Flow)
Example of refresh token to access token exchange with cURL:
export var CLIENT_ID=70B9EOUxfSN0p866nCa2zGVKmaaaTEST
export var REFRESH_TOKEN=eyJ0e...
export var ORGANIZATION_ID=f6dS3eSezWO4ohcznIzoTb5JzzmbTEST
curl -X POST \
-d grant_type=refresh_token \
-d client_id=$CLIENT_ID \
-d refresh_token=$REFRESH_TOKEN
-d organization_id=$ORGANIZATION_ID
See the request body schema in our API documentation:
Get Access Token
Comments
0 comments
Please sign in to leave a comment.