Authentication¶
There are 2 type of authentication available using the API:
- Authentication as a system with an API Key
- Authentication as a specific person using a user session
Some API calls require you to authenticated as a user.
API Key¶
You authenticate to the EC English API by providing your API key in the X-ApiKey
in the request header.
Your API key carries many privileges, so be sure to keep it secret.
Example request:
GET /TestConnection HTTP/1.1
Host: api.ecenglish.com
Accept: application/json
X-ApiKey: MyApiKey
Example response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 69
Content-Type: application/json
{
"Message":"Connected at 2015-06-02 11:27:51Z"
}
All API requests must be made over HTTPS, calls made over HTTP will fail.
User Session¶
You can provide a user session using the X-EC-Session
request header. Note that you must include the word
Bearer
before the session value. You can obtain a user session using OAuth Authentication.
GET /TestConnection HTTP/1.1
Host: api.ecenglish.com
Accept: application/json
X-EC-Session: Bearer a-valid-token
Example Response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 69
Content-Type: application/json
{
"Message":"Connected at 2015-06-02 11:27:51Z"
}
Expiry of Sessions¶
User sessions will expire after a period of time. Once the session has expired you’ll receive a 403 Forbidden
response.
If you get a forbidden response then you need to obtain a new session id by either asking the user to login again using
OAuth Authentication or by using a Refresh Token to obtain a new session id without intervention from the user.
Example Response When The Session has Expired:
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Length: 142
Content-Type: application/json
{
"ResponseStatus":
{
"ErrorCode": "Forbidden",
"Message": "Your session is invalid or has expired",
}
}
OAuth Authentication¶
We provide an OAuth 2.0 compatible authentication service to allow your users to authenticate directly with us.
The process for performing OAuth login is
Get in touch with us to setup your system as an OAuth client; then
Redirect users to our sign in pages where they enter their credentials; then
Once users have logged in we’ll redirect them back to your site with a one-time access code; then
- Your site POSTs the access code along with a secret token to our web services to obtain a session id
- You can call the API with a session ID to get details about the user
Redirect the user to the login page¶
You should redirect the user to https://signin.ecenglish.com/oauth with the following query string parameters
- client_id
- This should be the client id we provided when your site was setup to use OAuth
- response_type
- This should always be the value
code
- redirect_uri
- This should be the URL you want the client to be redirected to once they’ve logged in. This must be exactly the same value that you provided when your client was setup.
- state
- This will be passed back to you as a parameter when the client is redirected back to your site. You should include an anti-forgery token as part of this value and validate it when the user is redirected back to your site
Example URL:
https://signin.ecenglish.com/oauth?client_id=client-333&response_type=code&redirect_uri=https://example.com&state=dfjlkdsfsks
When users are redirected back to your site¶
The users will be redirected back to the specified page on your site with the following query string parameters
- state
- This is the value that was passed to us.
- code
- This is a one time code that can be used to retreive a session id for the user
Once you’ve validated the anti-forgery token you added to the state parameter is valid you can convert the code
value
into a session id.
Converting a code into a session id¶
To convert the code
value provided when the user was redirect back to your site into a session id, your website should
perform a POST request to https://signin.ecenglish.com/oauth/token and provide the following parameters using
the application/x-www-form-urlencoded
content type.
- grant_type
- This must be the value
authorization_code
- code
- The code provided by the redirect
- client_id
- The client id we provided when your site was setup using OAuth
- client_secret
- This is the value we provided when you were setup to use OAuth
- redirect_uri
- This must be exactly the same value that you provided when your client was setup. This is only used to validate your token request as your website should be POSTing to this endpoint directly
The response message will be a json object with the following fields:
- access_token
- This is the session id
- token_type
- This will be the value
Bearer
- scope
- This will either be
student
oragent
to indicate if the token is for a student or an agent - refresh_token
- This allows you to obtain another
access_token
after the current one has expired without asking the user to login again.
Example Request:
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
client_id=client-333&grant_type=authorization_code&redirect_uri=https://www.example.com&code=dkdk&client_secret=cvjlkdf
Example Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 107
{
"access_token": "jkldfjdflk",
"token_type": "Bearer",
"scope": "agent"
}
Getting a users details using a session id¶
You can call the API to get the basic details of a logged in user:
** Example Request **
POST /oauth/token HTTP/1.1
Content-Type: application/json
Content-Length: 2
X-EC-Session: Bearer some-session-id
{}
** Example Response for a student **
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 193
{
"Id": "an-id",
"FirstName": "John",
"LastName": "Smith"
"Email": "johnsmith@example.com",
"StudentDetails": {
"Id": 882
}
}
** Example Response for a agent **
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 208
{
"Id": "an-id",
"FirstName": "Margery",
"LastName": "Jones"
"Email": "margeyjones@example.com",
"AgentUserDetails": {
"AgentCode": "A88",
"OfficeCodes": ["O1"]
}
}
** Example Response for Staff **
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 208
{
"Id": "an-id",
"FirstName": "Emily",
"LastName": "Pankhurst"
"Email": "emily@example.com",
"StaffDetails": {
"UserName": "x988"
}
}
OAuth refresh tokens¶
Refresh tokens allow you to get a new user session id without requiring the user to login. They work as follows:
- Let us know that you’d like to use refresh tokens because we’d need to be enable them for your account
- The first time a user uses your application ask them to login as described in OAuth Authentication
- Store the
refresh_token
that you received during the user’s first login in a secure location- Next time you need to obtain a session id for the user you can use the refresh_token to do so.
Each refresh token can only be used once. We’ll provide you with another valid refresh token every time you convert a refresh token into a session id.
Refresh tokens are sensitive peices of data because they allow you to create a user session. Please follow the following guidelines when dealing with refresh tokens:
- Store them in a secure location in an encrypted format
- Do not send to the user’s browser or allow the user to see the refresh token value. These values are private to your application.
Obtaining a session id using a refresh token¶
You can convert your refresh_token
value into a session id by performing a POST request
to https://signin.ecenglish.com/oauth/token and provide the following parameters using
the application/x-www-form-urlencoded
content type.
- grant_type
- This must be the value
refresh_token
- refresh_token
- The refresh token you wish to convert into a session id
- client_id
- The client id we provided when your site was setup using OAuth
- client_secret
- This is the value we provided when you were setup to use OAuth
The response message will be a json object with the following fields:
- access_token
- This is the session id
- token_type
- This will be the value
Bearer
- scope
- This will either be
student
oragent
to indicate if the token is for a student or an agent - refresh_token
- You can use this value as a
refresh_token
to authenticate the user the next time you need a session (eachrefresh_token
can only be used once)
Example Request:
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
client_id=client-333&grant_type=refresh_token&refrsh_token=jkldfds8&client_secret=cvjlkdf
Example Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 159
{
"access_token": "jkldfjdflk",
"token_type": "Bearer",
"scope": "agent",
"refresh_token": "new-refresh-token-value"
}
Dealing with a revoked refresh token¶
Refresh tokens can be revoked by the user. They will also be automatically revoked if they’ve not been used for a long period of time. If you try to use a revoked refresh token you’ll get a response like this:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Content-Length: 93
{
"error": "Invalid refresh token",
"error_description": "invalid_grant"
}
If you recive an invalid_grant
response you’ll need to ask the user to login again to obtain a new
refresh token.