Email: [email protected]
Password: TestPaSSword1
Note: our testing/uat environment is available at: https://api.uat.westfield.io/ and https://account.uat.westfield.com/
Swagger docs for the API endpoints related to authentication & user/shopper data management can be viewed & explored at http://api.westfield.io/
- https://api.westfield.io/#!/default/people_token_post
- https://api.westfield.io/#!/default/people_token_info_get
- https://api.westfield.io/#!/default/people_revoke_post
- https://api.westfield.io/#!/default/people_get
- https://api.westfield.io/#!/default/people_post
- https://api.westfield.io/#!/default/people__uuid__get
- https://api.westfield.io/#!/default/people__uuid__put
- https://api.westfield.io/#!/default/people__uuid__delete
- https://api.westfield.io/#!/default/password_resets_post
- https://api.westfield.io/#!/default/password_resets__id__put
The first step involves acquiring an access_token. If you have the username & password credentials, the simplest option is to use the password grant flow option eg:
curl -H 'Accept: application/json; version=1' \
-H 'Content-Type: application/json' \
-d '{
"grant_type":"password",
"username":"[email protected]",
"password":"TestPaSSword1",
"client_id":"{CLIENT_ID}",
"client_secret":"{CLIENT_SECRET}"
}' \
https://api.westfield.io/people/token
{
"access_token":"7211fe017c43573de2afa9bb2e1e7778fee05d07fb511eeabae6e3baacecf8ac",
"token_type":"bearer",
"expires_in":28800,
"refresh_token":"92dd2d86b44ffcb5477368c37afcb0801d16b2aef20612b21be2fe041178eeb7",
"created_at":1429768474
}Once you have successfully received an access_token, you can fetch data about the token & the user to which it belongs.
The resource_owner attribute will return the user data.
curl "https://api.westfield.io/people/token/info?access_token=7211fe017c43573de2afa9bb2e1e7778fee05d07fb511eeabae6e3baacecf8ac&version=1"
{
"scopes":[],
"expires_in_seconds":28584,
"expires_at":1429797274,
"created_at":"2015-04-23T05:54:34.661Z",
"session_id":null,
"uuid":"989fd152-65af-4c0e-9c94-a7fa4c12a48d",
"resource_owner":{
"uuid":"989fd152-65af-4c0e-9c94-a7fa4c12a48d",
"first_name":"first-name-1429763908",
"last_name":"last-name-1429763908",
"email":"[email protected]",
"created_at":"2015-03-18T20:42:55.002Z",
"updated_at":"2015-04-23T04:38:30.542Z"
}
}The access token and API version can also be passed within the headers eg:
curl -i \
-H 'Authorization: Bearer 7211fe017c43573de2afa9bb2e1e7778fee05d07fb511eeabae6e3baacecf8ac' \
-H "Accept: application/json; version=1" \
https://api.westfield.io/people/token/info?version=1This is the standard 3 legged OAuth flow where the end user authorizes the client application on account.westfield.com before returning to the client app/website with an authorization_code that can then be used to create the access_token. This will require the requesting application to be registered with Westfield and issued with a client_id & secret.
The applications redirect uri must be also be registered with Westfield. so that we can trust that we are sending the user to back to the correct/trusted location.
e.g. https://example.com/oauth/callback or
westfield-ios-app://oauth/callback
Note: To allow custom schemes to be used for IOS and Android applications https is not enforced. Please take care to never use
httpit is not secure.httpsshould always be used with the exception of custom schemes required for mobile applications!
The client application first redirects the user to the Westfield (account.westfield.com/authorize) along with the client_id, redirect_uri, and
response_type (which is set to code)
e.g. https://account.westfield.com/authorize?client_id={CLIENT_ID}&redirect_uri=https://example.com/oauth/callback&response_type=code
Upon successful authentication the user will be returned to the specified uri with an authorization code.
e.g. https://example.com/oauth/callback?code={AUTHORIZATION_CODE}
The authorization code can be exchanged for an access token by making a
POST request to the access-service token endpoint with a grant_type of
authorization_code and including the code, client_id,
client_secret, and redirect_uri.
curl -H "Accept: application/json; version=1" \
-H "Content-type: application/json" \
-d '{ \
"grant_type":"authorization_code", \
"code":"{AUTHORIZATION_CODE}", \
"client_id":"{CLIENT_ID}", \
"client_secret":"{CLIENT_SECRET}", \
"redirect_uri":"https://example.com/oauth/callback" \
}' \
https://api.westfield.io/people/tokenPOST /people/token HTTP/1.1
Host: api.westfield.io
Accept: application/json; version=1
Content-Type: application/json
{
"grant_type":"authorization_code",
"code":"{AUTHORIZATION_CODE}",
"client_id":"{CLIENT_ID}",
"client_secret":"{CLIENT_SECRET}",
"redirect_uri":"https://example.com/oauth/callback"
}
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{
"access_token" : "{ACCESS_TOKEN}",
"refresh_token" : "{REFRESH_TOKEN}",
"created_at" : 1424901637,
"expires_in" : 28800,
"token_type" : "bearer"
}Note: For ease of testing the version can also be specified as a query parameter. Once implemented it is preferred to be placed in the Content-Type header.
To allow an end user to log out and/or switch users you can link to the logout url on account.westfield.com with the following parameters:
client_id=your client_idredirect_uri=your registered oauth callback/redirect_urlresponse_type=codeauthorize=truethis lets us know that you want to restart the /authorize flow when the user logs back in.
Eg URL:
https://account.westfield.com/logout?client_id=3a09faffc5c37dd29bf127f9cd161b1a4e789a84137599d5b2cd695bad32f2dd&redirect_uri=https://food.westfield.com/oauth/callback&response_type=code&authorize=true
Nice stuff, dan! will this make it into the repo's readme or some other location? Probably needs to be in the API long-form documentation, I guess. It wouldn't fit in swagger, would it?