OAuth 2.0 Documentation | AT&T Developer

OAuth 2.0 API

Introduction

The OAuth 2.0 Authentication Management API provides a safe and secure way for AT&T Wireless customers to access the AT&T Wireless network through a third-party app without the risk of compromising security.

This API ensures that secure, sensitive, and private AT&T Wireless customer-related details are not exposed to the third-party app. This API is based on an open framework recognized as providing a strong protection for users and apps.

This API provides you with a security model that enables you to obtain an OAuth authorization code and an OAuth access token. This API enables third-party apps to access the private resources of the customer without requiring the customer to provide credentials to the third-party app, such as a user name and password. By acquiring an OAuth authorization code, a customer authorizes an app to access a protected resource on behalf of the customer. The receipt of an OAuth access token enables an app to access a protected resource on behalf of a customer via the AT&T Wireless network.

Considerations

The RESTful OAuth 2.0 Authentication Management API provided by AT&T has the following considerations for you to keep in mind.

The OAuth 2.0 Authentication Management API is the source of OAuth access tokens for use with all of the APIs provided by AT&T.
You should specify an API scope in your request for all of the APIs that are included in your app account.
The current implementation of this API sets the default value for the expires_in parameter to 172800 seconds, which signifies that the time-to-live for the OAuth access token is 2 days. The time-to-live for the OAuth refresh token is set to 7776000 seconds, which signifies that the time-to-live for the OAuth refresh token is 90 days.

Note: The actual time-to-live value may be different, so you should always check the value in the parameterexpires_in parameter.

The current implementation of this API implements a Remember Me feature, which simplifies the process of granting consent by remembering the customer after the initial authorization. The Remember Me feature is enabled by default.

Provisioning

The RESTful OAuth 2.0 Authentication Management API provided by AT&T requires that you provision your app as follows.

You must register an app account on the AT&T Developer Program website in order to utilize this API.

Resources

Get Access Token

The Get Access Token method obtains an OAuth access token which must be presented by the authorized app to make subsequent RESTful API requests to the API Gateway.

The OAuth access token is able to be obtained using any of the following workflows.

Your app must provide the App Key and App Secret that are specified in your app account in order to obtain an OAuth access token from the API Gateway.

Using the OAuth Authorization Code

This mechanism is used for an app that makes requests to APIs that require consent from the user.

You must send a Get User Authorization method request for an OAuth authorization code prior to requesting an OAuth access token.

The OAuth authorization code signifies the successful completion of an user consent authentication and must be exchanged for an OAuth access token.

This is the default configuration of the API Gateway for the following APIs.

Address Book API (AAB)
Device Capabilities API (DC)
In-App Messaging API (IMMN, MIM)
Using the App Key and App Secret
This mechanism is used for an app that makes requests to APIs that do not require user consent.

This is the default configuration of the API Gateway for the following APIs.
Advertising API (ADS)
MMS API (MMS)
SMS API (SMS)
Speech API (SPEECH, STTC, TTS)
Using an OAuth Refresh Token
This mechanism is used to obtain a new OAuth access token using an OAuth refresh token.

The OAuth refresh token is used whether the original OAuth access token was requested using the OAuth authorization code or the App Key and App Secret.

This method does not require customer interaction even if the initial OAuth access token is obtained using an OAuth authorization code.

An OAuth refresh token is valid for 90 days, as indicated in the Considerations section.

Note: If a new OAuth access token is requested, then the original OAuth refresh token and associated OAuth access token are no longer valid and are no longer able to be used.

OAuth Scope

Scope: Not Applicable

Model: Not Applicable

Resource

POST https://api.att.com/oauth/v4/token

URL Encoded (authorization_code)

Request

POST https://api.att.com/oauth/v4/token HTTP/1.1
Host: api.att.com
Content-Type: application/x-www-form-urlencoded
Accept: application/json
User-Agent: curl/7.37.0
Content-Length: 117

client_id=ABCDEF0123456789ABCDEF0123456789&client_secret=ABCDEF0123456789&grant_type=authorization_code&code=ABCDEF0123456789

Response

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Date: Wed, 30 Mar 2011 07:18:40 GMT
{
"access_token": "xyz123456789",
"expires_in": 172800,
"refresh_token": "abc987654321",
"token_type": "bearer"
}

URL Encoded (client_credentials)

Request

POST https://api.att.com/oauth/v4/token HTTP/1.1
Host: api.att.com
Content-Type: application/x-www-form-urlencoded
Accept: application/json
User-Agent: curl/7.37.0
Content-Length: 118

client_id=ABCDEF0123456789ABCDEF0123456789&client_secret=ABCDEF0123456789&grant_type=client_credentials&scope=ADS

Response

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Date: Wed, 30 Mar 2011 07:18:40 GMT
{
"access_token": "xyz123456789",
"expires_in": 172800,
"refresh_token": "abc987654321",
"token_type": "bearer"
}

URL Encoded (refresh token)

Request

POST https://api.att.com/oauth/v4/token HTTP/1.1
Host: api.att.com
Content-Type: application/x-www-form-urlencoded
Accept: application/json
User-Agent: curl/7.37.0
Content-Length: 162

client_id=ABCDEF0123456789ABCDEF0123456789&client_secret=ABCDEF0123456789&grant_type=refresh_token&refresh_token=ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789

Response

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Date: Wed, 30 Mar 2011 07:18:40 GMT
{
"access_token": "xyz123456789",
"expires_in": 172800,
"refresh_token": "abc987654321",
"token_type": "bearer"
}

String

Header

Specifies the format of the body for the response. The acceptable values for this parameter are:

application/json

The default value is application/json.
Note: For this method, this parameter specifies how the entity should be represented in case of an error.
This parameter is for setting the format of an error message. If there is no error, then the representation matches the form of the actual content.

client_id

String

Body

Specifies a key that identifies the user's app.

Note: This parameter value is the App Key that is assigned to the app account on the AT&T Developer Program website.

client_secret

String

Body

Specifies a secret key associated with the user's app.

Note: This parameter value is the App Secret that is assigned to the app account on the AT&T Developer Program website.

code

String

Body

Specifies the OAuth authorization code that is returned by the API Gateway when a user authorizes the app account to consume APIs on the user's behalf.

Note: This parameter is required only when the grant_type parameter is set to authorization_code.

Content-Type

String

Header

Specifies the type of content.

The only acceptable value for this parameter is:

application/x-www-form-urlencoded

grant_type

String

Body

Specifies the grant type used to obtain the OAuth access token.

The acceptable values for this parameter are:

authorization_code : The code value returned by the Get User Authorization method is used.
client_credentials : The App Key and App Secret are used.
refresh_token : The refresh_token from a previous response to this method request is used.

refresh_token

String

Body

Specifies the OAuth refresh token that is returned by the API Gateway during a previous response to this method request.

This parameter value is stored and used to obtain a new OAuth access token when the initial OAuth access token expires.

Note: This parameter is required in the request only when the grant_type parameter is set to refresh_token.

scope

String

Header

Specifies the APIs associated with your app account to which the app is requesting access.

The format for this parameter value is a comma delimited list.

The acceptable values for this parameter are:

ADS : Advertising API.
MMS : MMS API.
SMS : SMS API.
SPEECH : Speech API - Speech To Text method.
STTC : Speech API - Speech To Text Custom method.
TTS : Speech API - Text To Speech method.

Note: This parameter is only required when the grant_type parameter is set to client_credentials.

Example: scope=ADS

Example: scope=SPEECH,STTC,TTS

Example: scope=MMS,SMS,SPEECH,STTC,TTS

Get User Authorization

The Get User Authorization method obtains an OAuth authorization code.

This method triggers the user consent flow, which authenticates the user and captures the user's consent given to the app.

The user is informed of the one or more API scopes that you specified in your app account.

The successful response provides an OAuth authorization code that may be exchanged for an OAuth access token with permission to access the specified APIs.

The request and response flow for this method, including the user content flow, is the following.

The app initiates the flow by directing the user's user-agent to the authorization endpoint.
The authorization server authenticates the user via the user-agent and establishes the user's identity and whether the user grants or denies the your access request.
Assuming the user grants access, the authorization server redirects the user-agent back to the app using the redirection URI provided earlier. The redirection URI includes the OAuth access token in the URI fragment.

Revoke Token

The Revoke Token method revokes an OAuth access token or OAuth refresh token.