Open-source documentation for users of Advantech's WebAccess/DMP software

Public Cloud Deployment:
UI: wadmp.com
API: api.wadmp.com

WADMP Status Page: status.wadmp.com

YouTube Channel: WebAccess DMP
Help: Contact Us!



↑ Top
Hosted on GitHub Pages — Theme by orderedlist

Understanding OAuth


You are probably already familiar with the concept. When you visit a particular website or use a particular mobile app, instead of asking you to create a new account, it prompts you to login using an existing account on some other service, such as Google, Facebook, or Twitter.

alt text

There are several advantages:

WebAccess/DMP uses the same concept.

Remember that the User Interface or web app that you see at wadmp.com is only one example of a client application that consumes the WebAccess/DMP API.

WebAccess/DMP (the platform) acts as the “identity provider” for users. Any client application that consumes the WebAccess/DMP API should redirect to our built-in Sign-In page. You can see this when you connect to wadmp.com for the first time (or try it in an Incognito window). The browser is redirected to gateway.wadmp.com/public/auth/public/auth/login:

alt text

Another good example is Grafana. Our main UI utilises Grafana to display dashboards for device monitoring data. These dashboards are embedded in the wadmp.com web pages, but you can also access Grafana directly, at grafana.wadmp.com. Note that you do not have to create an account with Grafana: just click “Sign in with OAuth”:

alt text

You are automatically redirected to the WebAccess/DMP sign-in page, as above.

API Clients Endpoints

The public REST API provides the following endpoints which allow you to manage your OAuth clients:

alt text

The API Client is an abstraction for the type of authentication procedure that will be started after calling authorization endpoint. It governs whether you need to provide username and password directly in the payload, or if you will be redirected to a Log-in screen.

Some OAuth clients are provided by default in every WebAccess/DMP instance:


API authorization will only succeed for those users who have the appropriate permission.

More details

OAuth is an authorisation framework. OAuth 2.0 is defined in RFC 6749 and Bearer Token Usage is in RFC 6750.

Protocol Flow

     +--------+                               +---------------+
     |        |--(A)- Authorisation Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorisation Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorisation Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

We also use OpenID Connect, which is an authentication layer built on top of OAuth 2.0.

WebAccess/DMP uses IdentityServer4, which is an open-source, certified OpenID Provider for C# and ASP.NET Core.

alt text

Grant type

The model for the payload for the POST /api-clients endpoint looks like this:

alt text

grant_type is usually one of the following: