Versions Compared

Old Version 3

changes.mady.by.user MailUp Dev Team

Saved on

compared with

New Version 4

changes.mady.by.user Stefano Mantegazza

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is the necessary required flow to be implemented by any client application who wants to use using the MailUp API. By using When following this flow, the client application exchange its own exchanges credentials with the MailUp authorization server, requesting for user authorization to access his MailUp datathe data in the MailUp account. If the user confirms grants the authorization, the client will receive the tokens necessary to impersonate the user and access its the MailUp resources.
This Not only does this kind of flow , not only lets let the client application impersonate the user, but grants it also gives the user the peace of mind that his private credentials are only handled by MailUp, nor . No username or password could can be intercepted and stored by the client.



Figura 1: OAuth v2: 3 legged - Code grant flow example


In the picture above are presented you can view the generic operations involved in the authorization process.
Looking at the picture we can easily subdivide those operations in , which can be dividedĀ into three main steps:

  1. Client application registration:this step must be done by the developer on MailUp Dev portal* and it is necessary to receive the application credential (client_id and client_secret). Without those credential the application will never be recognized by the authorization server and no access will ever be granted to it. The client credentials must be saved inside the application code or in a convenient manner so nor the user nor any other could change them. Is a developer responsibility to keep them secret and not to exchange them with anyone.
  2. Authorization:In this step the client application request for user authorization by sending its private credentials to authorization server. The authorization server will authenticate the client application and redirect the user to a private page. After a successful login, the user will be asked to confirm authorization to the application. If confirm is given, the server will provide the client application with an authorization code.This authorization code has limited validity in time, must not be saved and must be immediately used to request authorization server for an access code.
  3. Impersonation:In this step the client application will request for an access token by sending to the authorization server its client credentials and the authorization code. If provided data isĀ valid, the server will return the access credential (access_token, refresh_token and expiration timespan) to be used for resource requests.The access credential should be saved for further use.

...