CRM-2 Security Model

From Opentaps Wiki
Revision as of 22:57, 19 November 2014 by Sichen (talk | contribs) (Protected "CRM-2 Security Model": Sysop page [edit=sysop:move=sysop])
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

How opentaps CRM2 Security Works

A Contact may have many User logins, but the Contact (not each of its Users) has security settings for to each domain. This is an important difference from opentaps 1.x/ofbiz: security is associated with the Contact (Party), not the User. This means you get the same permissions to the system if you're logged in with your Google, Twitter, or Facebook account.

Security is accessed via authorization tokens. Each user ID is associated with a permanent authorization token, which is a random alphanumeric string that identifies the user to the system. This authorization token should be kept secret -- it is the same as having the password for that user.

We recommend that you obtain a temporary auth token programatically, instead of using the authorization token or asking each user to login.

You can POST a request to with your permanent auth token to obtain a temporary authorization token for the same user as the auth token (ie, your admin user). The temporary token is by default set to expire in 60 minutes. Store it locally in your session to access the crm2 server.

To make sure your temporary token is valid before a call, use /oauth/validate and pass your temporary token.

A good practice is to:

  1. see if you have a temporary token in your session
  2. if so, use /oauth/validate to see if it is still valid
  3. if there is no temporary token or it is no longer valid, call /oauth/temp-token to get a new one

See for examples of how the authorization token is used.