OAuth 2.0 – REST API Authentication

Objective

Provide a modern authentication service for users of the Seller Center REST API. This service will allow third party applications to access Seller-specific Seller Center resources (considering the user’s ACL).

Configuration Information

Critical Knowledge
By default, the feature is available only to admin, Seller full access, and developer user roles. If changes are required, the ACL Manager has to assign the resources “Integration Management” and “Manage Developer Apps” to required user roles.
If you want to enable OAuth, please raise a TMLSD ticket. The parameter that needs to be enabled is core:oauth/enabled

Registering an Application

Applications requiring access to the Seller Center REST API need to be registered through the OAuth interface. From there, they obtain an application ID and an “application secret.” These parameters need to be provided to the third party application in order to receive the access tokens required for authentication.

Step Description Image
1  Under Settings > Integration Management, enter the tab “OAuth Applications”
2  Click “Add Application”
3
  • Enter the name of your application and authorization redirect URL.
  • “Application Name” is a name you can identify your application by.
  • “Authorization redirect URL” is the URL the user should be redirected to in order to perform their desired operations.
  • “Website URL” (optional) is the homepage of the application.
    •   This serves as additional information but is not relevant for the authentication or redirection of the application.
  • Click “Save”
screen-shot-2016-10-20-at-14-35-12
4 The user will see the application ID of the created application in the table. screen-shot-2016-10-20-at-14-34-21
5 In order to receive the application ID and the application secret (which have to be provided to the third party application requiring authorization), click “Edit” to view the application details. screen-shot-2016-10-20-at-14-34-30

 

Accessing the Resources

When using the registered third party application to access the resources behind the provided API, the access permissions of the users are taken into consideration. For example, a user trying to access the account statements through the API also needs the resource to access the account statements assigned to their user account (defined in “Permission Control” by the ACL Manager).