OAuth2 integration model with Digibee

Learn how to implement an OAuth2-based integration model to securely and efficiently authenticate and authorize connections.

This document presents an implementation model for the OAuth2 flow used for authentication and authorization in integrations carried out on the Digibee Integration Platform. The goal is to ensure secure access to protected APIs using access tokens and refresh tokens when applicable.

You will learn the standard implementation pattern of the OAuth2 authentication flow on Digibee, including:

Credential generation steps
Token retrieval
Token refresh
Credential removal

Important notes:

The pipeline must be configured with at least two simultaneous executions (Digibee Execution Config) to ensure the mechanism works correctly, since it performs a self-call to generate the token.
The OAuth2 flow follows the client_credentials authorization grant, suitable for system-to-system integrations without human interaction.
Token refresh is performed automatically before expiration, ensuring a valid token is always available for use.

Architecture

Overview

Diagram:

Pipeline:

Description

The pipelines implement a complete OAuth2 authentication flow, enabling:
- Credential creation
- Access token retrieval
- Token refresh
- Credential removal
The responsible pipeline can be triggered for the initial token generation, token refresh, or credential management, depending on the input parameters.
This mechanism can be reused by other business pipelines via event calls, APIs, or encapsulation in capsules.

Detailed flow

Credential generation
- Creates a clientId and clientSecret pair for future authentications.
Token retrieval
- Generates the access token (access_token) and the refresh_token.
Token refresh
- Renews the access token using the refresh_token before it expires.
Credential removal
- Deletes the credentials (clientId) from the authentication system.

Payloads

1. Credential generation

Request:

{
    "partnerId": "TestSystem",
    "executionType": "create",
    "apikey": "..."
}

Response:

{
    "clientId": "clientId",
    "clientSecret": "clientSecret"
}

2. Token retrieval

Request:

{
    "password": "clientSecret",
    "grant_type": "client_credentials",
    "username": "clientId"
}

Response:

{
    "token_type": "Bearer",
    "expires_in": 3600000,
    "ext_expires_in": 3600000,
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9..."
}

3. Token refresh

Request:

{
    "grant_type": "refresh_token",
    "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9..."
}

Response:

{
    "token_type": "Bearer",
    "expires_in": 3600000,
    "ext_expires_in": 3600000,
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9..."
}

4. Credential removal

Request:

{
    "clientId": "clientId",
    "executionType": "delete",
    "apikey": "..."
}

Response:

{
    "code": 200,
    "message": "Success when deleting client credentials for the clientId: clientId"
}

PreviousNotification model in event-driven integrations NextBest practices for error handling in pipelines

Last updated 2 months ago

Was this helpful?