Authentication
OAuth 2.0 authorization methods in VARIO Cloud
In addition to its App frameworks, VARIO-Cloud exposes an HTTP API that is protected using OAuth 2.0. You can choose between three authorization methods:
Password grant
Authorization Code grant
Device Code grant
All methods use the client credentials (clientId, clientSecret) that you obtain when creating an App in the Developer section.
The exact URLs for the authorization and token endpoints depend on your tenant configuration.
They can be found in the API-Clients section in the Admin Interface
In the examples below, replace https://sso.vario.cloud/realms/<TENANT>/protocol/openid-connect/ with your actual base URL.
Password grant
The Password grant allows your App to exchange a userās username and password directly for an access token.
When to use
For trusted, server-side applications that can securely store user credentials and client secrets.
For system integrations where a technical user is used for automation.
Security warning Do not use the Password grant in public clients (single-page apps, mobile apps without secure storage, etc.), because it requires handling the userās raw password.
Requirements
To use the Password grant, you need:
a user account in the VARIO-Cloud tenant
the userās password
the Appās Client ID (
clientId)the Appās Client Secret (
clientSecret)the user must be explicitly allowed to use the Password grant in their user settings
Enabling the Password grant for a user
The Password grant is disabled by default for all users and must be enabled per user and per installation.
Sign in to your VARIO-Cloud tenant as an administrator.
Open the āBenutzerā (Users) menu.
Select the user who should be allowed to authenticate via Password grant.
Select the relevant installation (tenant / environment) for that user.
Activate the checkbox āOAuth-Password-Grant-Type erlaubenā (Allow OAuth Password Grant Type).
Save your changes.
Only users with this option enabled can obtain tokens via the Password grant.
Requesting a token with the Password grant
Once the user is enabled, you can request an access token with a standard OAuth 2.0 Password grant request:
The response contains an access_token (and usually a refresh_token), which you then use for API calls.
Authorization Code grant
The Authorization Code grant is the standard flow for web applications and other clients that can handle browser redirects. The user signs in via the VARIO-Cloud login page, and your App never sees the userās password.
When to use
For browser-based or server-side web apps with a backend that can receive HTTP callbacks.
When you want the user to explicitly approve the Appās access the first time it connects.
Requirements
To use the Authorization Code grant, you need:
a user account in the tenant (the end-user who will authorize the App)
the Appās Client ID and Client Secret
a running OAuth callback server, i.e. a backend endpoint that:
is reachable from the internet, and
can receive the
redirect_uricallback
the callback URL must be registered for the App (according to your tenant configuration)
Important Unlike the Password grant, you do not send the userās username/password to the token endpoint. The user authenticates directly against VARIO-Cloud in their browser and must confirm the access for your App on first connection in order to receive a valid token.
Typical flow
Redirect the user to the VARIO-Cloud authorization endpoint:
The user logs in (if not already authenticated) and is asked to grant access to your App.
VARIO-Cloud redirects the user back to your
redirect_uriwith acodeandstateparameter.Your backend exchanges the authorization code for tokens:
The response contains an
access_token(and usually arefresh_token), which you then use for API calls.
Last updated
Was this helpful?