With OAuth2 any Ringdesk user can create a safe 3th party login.
You want to realize Single-Sign-on for the Ringdesk Plug-in in your CRM solution
What you must not do: Store the Ringdesk username and pass in your own database, next to your users profile and use these credentials to login the Plug-in.
- You never want to store credentials (even when encrypted) of a 3th party application in your own application
- You never want a user to even think that you could have known his credentials
How to do it with OAuth2?
- You create your own authentification client. This client is the key to translate create and accept tokens created for usage within your application
- You create a login token for the user, created via a safe process where you never entered username and password in your own application;
- You store the user’s refresh_token safely in your application’s database; The token does not hold any credentials of the user account and only you are able to create a new access_token with it.
Step 1 – Create the OAuth2 client
Login to the Ringdesk portal and select Auth clients in the left menu (you need Admin role).
Step 2 – Test the OAuth2 client
You can use multiple solutions. We used postman ( https://www.getpostman.com/ ) to show you how it works.
In this example we show you how to call myprofile via an oauth2 token:
- Call GET https://api.ringdesk.com/v1/account/myprofile
- Select TAB Authorization
- Select TYPE = OAuth2.0
- Press “Get New Access Token”
Set the correct parameters for the OAuth2 request.
Take in mind that the Callback URL of Postman is https://www.getpostman.com/oauth2/callback ).
When using your own application, the callback route must be implemented. You can use many of the programming libaries available.
A new popup will apear from Ringdesk.com
Login with your Ringdesk username and pass
The OAuth2 client (MyApp) will request your permission to use your profile. Please accept all.
After clicking “Yes, Allow” the OAuth2 client will call the callback url, validate your session and send the access_token and refresh_token
To gain access to Ringdesk for the respective user, you will only need the refresh_token. 3th party applications may store the refresh token for usage later on.
But please keep in mind: Even while you are able to revoke access for this user and even the whole OAuth2 Client, the token must always be stored in a safe way!
What to do with the token and refresh token?
The refresh token will give your 3th party solution the possebility to create a new acces_token:
Call https://auth.ringdesk.com/connect/token with the following parameters in the body: