There are different participants in the OAuth2 protocol:
In the current iSHOP implementations, the ResourceServer and the AuthorizationServer are identical.
iSHOP currently provides 2 different grant types. The grant type is the method how the authentication process is performed.
In this case the ResourceOwner authorizes an application (Client) to access its data stored on the ResourceServer. To authorize the Client, the ResourceOwner enters its password. The password is sent to the AuthorizationServer. Now the AuthorizationServer issues an access token. The access token can then be used to access the resources (data) on the ResourceServer.
This is a different use case since no user (ResourceOwner) is involved. There are only Client, ResourceServer, AuthorizationServer.Because the user (ResourceOwner) is missing in this situation, the Client has to authenticate differently. Therefore the Client sends a client secret. The client secret is a just a string. When the Client sends its id and the client secret, the AuthorizationServer sends an access token in exchange. The access token can be used to access the ResourceServer.
Client Credentials should not be used in publicly accessible apps (e.g. an iPhone App) because the app can be decompiled and the client secret can be stolen!
A good tool for using the API is the free tool Postman. Before interacting with the API you need an OAuth2 token.
Open your local DB and run query:
SELECT client_id, client_secret FROM ishop.oauth_client_details WHERE client_id = 'api-client';
Use this information and backoffice user credentials to request an OAuth2 token with Postman.
You need to leave the scope empty in case of the REST Shop API, for the Management GraphQL API use
Send your Query in the request body:
The response body contains the answer from the core.
It is possible to add the core schema to postman to use autocomplete on requests.
So far it seems postman does not fetch the schema by itself, and you're required to
generate an 'effective' schema from all the
*.graphql files in the core.
(so far untested)
GraphiQL is an React based web application for querying GraphQL APIs.