Unity API - Authentication

  • 30 May 2017
  • 3 replies
  • 274 views

I am working with a developer to create a Python Script to pull out Site Name and Number of Machines an agent is installed on out of our MSP Dashboard for billing purposes.  From what I’ve read on  https://unityapi.webrootcloudav.com/Docs/en/APIDoc/PasswordAuthentication the token request must include a "Username, Password" and a "Client ID / Client Secret".  Nearly every API solution i work with only requests Client ID / Secret, can someone clarify why we need to provide a username/password as well?  I’d rather my developer not have to implement 2 authentication mechanisms.  
 
Can anyone clarify WHY or IF we do indeed need both?
 

3 replies

Userlevel 4
Badge +9
Hi @,
 
The Unity API uses the OAuth 2.0  authorization protocol. There are generally two parts that comprise a successful OAuth authentication; the resource owner and the authorization server. The resource owner in this scenario is our Console back-end, and the Authorization server would be the Unity API. Our Console back end issues an Authorization Grant to the Client (customer) which is then passed back to the Authorization Server (Unity API) and if both are granted, then a Bearer Token is issued. This Bearer Token is only valid for a very brief period of time (299 seconds). However, this should only ever be used once, and once it is created, you should use the Bearer Token to create a Refresh Token, which is good for 15 days. This is not only common industry practice, but greatly enhances the security of not only our Unity API, but also our customer’s data. This dual-authentication method is only required once in order to properly issue and secure a Bearer Token, and then the customer should not be creating any future Bearer Token requests. For more details on the OAuth 2.0 framework, please visit https://tools.ietf.org/html/rfc6749.
 
Regards,
Joseph
Ok, in that case, our Python script will be run every 30 days for billing purposes - so we'll need a new bearer token each time.
Userlevel 4
Badge +9
Hi @,
 
The recommended best practice in this scenario is to renew your Refresh Token instead of requesting a new Bearer Token. When you request a new Refresh Token, it will restart the 15 day time to live over again. So, for example, this could be scheduled to run each week in order to keep the token alive.
 
Regards,
Joseph

Reply