Token exchange flow - how to register and login user

Question

Here is my understanding of the token exchange flow:

First i should follow this section of the docs: https://developers.tapkey.io/api/authentication/identity_providers/

After I created identity provider, I want to register my test user using this endpoint https://developers.tapkey.io/openapi/tapkey_access_management_web_api_v1/#/Identity%20Provider%20Users/OwnerIdentityProviderUsers_Put

First question related to the endpoint above is, how do i authorize this request? On swagger documentation there is only clientCredential and AuthorizationCodeAuth options. Does this mean i need one of this types of authorization, so that i can authorize request from my server (from application point of view, lets say). For endpoints like:

• List all owners
• Register user
• etc.

Now let's say i registered a user, using client credentials to authorize a request. I am trying to login, following Token Exchange section in docs.

There it says I need to use this POST https://login.tapkey.com/connect/token, i am formatting the jwt as said in the docs, and sending to this endpoint. I am using client_id from my token exchange oAuth client. I got an error with the following message, which is pretty clear to me, but i can't find the solution for it.

{ error: 'unauthorized_client', error_description: 'Client not authorized' }

Answer 1

Mostly, the listet authentication types in the swagger documents are to be able to test the endpoints within the swagger ui. So it is possible to create a oAuth client, pass it to the swagger ui and test the endpoints.

The endpoints itself do not differ between authentication type.

Depending on the purposes the authentication method should be used.

Authorization Code Flow

If you have a service, which works on behalf of a Tapkey user, the authorization code flow should be used.

E.g. you have a booking platform, and your customer should be able to grant access to locks owned by them.

It is not possible to use the authorization code flow to login into the Tapkey Mobile SDK and unlock locks. An authorization client can not request the therefore required scopes.

Client Credential Flow

For server 2 server communication to manage your services, e.g. for adding identity provider users or managing locks which are owned by your services, then the client credential flow would be a good choice.

For that, the client credential client must be authorized as an administrator to the specific locking system.

Token Exchange Flow

To login your users into your app and using the Tapkey Mobile SDK to unlock locks, you have to sign your own JWT tokens on your server and exchange then on the client with the token exchange flow.

Please be aware: It is not possible to use the authorization code flow to sign in as a Tapkey user and then exchange it via token exchange.