Frame.io supports the creation and management of OAuth2.0 applications. Unlike Developer Tokens, OAuth2.0 apps enable any Frame.io user to grant his or her credentials via secure login, after which the app may act on that user's behalf.
In plain terms, OAuth2.0 apps are best for any integration scenario in which an individual user's context and access are important.
At a very high level, OAuth2.0 has three parties:
- The User (in our case: anyone with a Frame.io login)
- The client Application (the external OAuth2.0 app)
- The credentials Server (in our case: Frame.io)
Code flow for OAuth2.0 is a four-step process through which:
- The Application presents the User with a login screen
- The User enters his or her credentials, which go directly to the Server
- If the login is successful, the Server sends back a page asking the User to confirm that he or she would like to grant a preconfigured set of access scopes to the Application
- If the User consents, the Server sends the Application a token that can be used to act on behalf of the User with the requested scopes.
In this way, an client application can take action on the user's behalf, securely, with the user's permission, and (importantly) without ever seeing or handling the user's actual credentials.
The above sequence relies on the server (Frame.io) hosting two services, each with its own route:
|Auth||Given information about the OAuth client application, invokes the auth flow with the server.|
|Token||Given information from the auth step, retrieves a token on the user's behalf.|
The OAuth2.0 application's role in this cycle is to identify itself to the server, and make those two requests.
If you're familiar with the rest of the plumbing for OAuth2.0, the below example may be enough for you to get started. If you'd like a bit more detail, check out the more detailed guide here: Building an OAuth2.0 App
- Sign into the Frame.io Developer Portal using your Frame.io credentials, navigate to OAuth Apps using the links on the left-hand side, and click New to start setting up your app.
- On the subsequent screen, enter a Name and Redirect URI for your app, select your Scopes, and choose whether to use PKCE.
- Save, and you should now see your new app configuration.
The Proof Key for Code Exchange setting will enable your app to request tokens without providing its
client_secret. As such, you will not be provided with a
client_secret, and should not include an
Authorization header when
POSTing for a token in your app's callback cycle. That said, you will need to include your
client_id in your callback, or else your request will be denied.
Our advice is to use the normal code flow (without PKCE) whenever possible.
Now that you have an app configuration in Frame.io, you can go about setting up your callback server to handle the two key routes to complete the callback cycle, per the table above.
For more detailed information on how to build out your application, please refer to Building an OAuth2.0 App