Create OAuth Application
About 925 wordsAbout 3 min
This document aims to provide third-party developers with a standardized OAuth 2.0 application integration process, supporting application registration, user authorization (personal/resource level), temporary ticket issuance, and API access control.
Preparation - Apply for OAuth Application Registration
Application Information Registration
Currently, applications need to be reviewed and listed by CNB administrators. Please submit the application information and your contact details to cnb_support@tencent.com. We will communicate with you about the detailed OAuth application creation plan.
Basic Application Information
| Application Info | Required | Field Description |
|---|---|---|
| Application Name | Yes | Displayed to users during authorization and on the user authorization management page; max 50 characters. |
| Application Logo | Yes | Image size must not exceed 1MB. |
| Application Description | No | Max 350 characters. |
| Official Website | Yes | Max 128 characters. |
| Redirect URL | Yes | Redirect URI used for redirection after OAuth authorization. |
| Supported Authorization Scopes | Yes | Communicated during the application creation plan, e.g., repo-code:r, account-profile:r, etc. Must be predefined. Applications should only request necessary permission scopes, and the CNB platform will evaluate the reasonableness of the authorization scope during review. |
| Authorization Resource Scope | Yes | All permissions of the current account / All public resources of the current account / Specified resources. |
Authorization Flow
The user authorization flow within the application is as follows:
- The user initiates an authorization request within the application;
- Guide the user to the CNB authorization page, carrying corresponding parameters to request their CNB identity;
- After the user agrees, CNB generates an authorization code;
- The user is redirected back to your site by CNB;
- The application uses the user's access token to access the CNB API.
1. Request User Authorization
Operate within the third-party application to initiate an authorization request. Guide the user to the platform's authorization page, carrying the following parameters:
client_id: Unique identifier of the application (assigned after listing)redirect_uri: Callback address (must match the registered information)response_type: Fixed ascode(Authorization Code Mode)scope: Requested permission scope (e.g.,repo-code:r,account-profile:r, etc.)target: Specify authorization scope,a/bindicates specifying a/b resourcesstate: Anti-CSRF token (generated by the application, returned as-is during callback)
2. Display and Confirm Authorization
Authorization Page
The user jumps to the platform's authorization page, displaying the following information:
- Basic application information (Name, Logo, Developer, Official Website)
- Details of requested permissions (broken down by scope, for example:
- Personal Permissions: View your nickname, avatar (
account-profile:r) - Resource Permissions: Read repository code (
repo-code:r)
- Personal Permissions: View your nickname, avatar (
- Target Resources (If requesting resource-level permissions, list the specific resource list for the user to select/confirm)
3. User Confirms Authorization
After the user agrees, the platform generates an Authorization Code and calls back to the third-party App via redirect_uri, with attached parameters:
code: Temporary authorization code (valid for 5 minutes)state: The anti-CSRF token submitted by the user, returned as-is
4. Third-party App Exchanges for Access Credentials
The third-party App uses the code to initiate a request to the platform's Token endpoint to exchange for a temporary ticket (Access Token):
- Request Parameters:
grant_type: Fixed asauthorization_codecode: Authorization coderedirect_uri: The callback address consistent with the applicationclient_id&client_secret: Unique identifier and key of the application (assigned by the platform, must be kept confidential)
- After platform verification passes, it returns:
access_token: Temporary ticket (valid for 2 hours, used for calling APIs)token_type: Fixed asBearerexpires_in: Validity period (seconds)refresh_token(Optional): Refresh token (used to extend the session, valid for 7 days)scope: The actual granted permission scope
Authorization Scopes
| Action Permission | Permission Type | Description |
|---|---|---|
| repo-code | Read-only / Read-write | Access code repository via Git commands |
| repo-pr | Read-only / Read-write | Access pull requests |
| repo-issue | Read-only / Read-write | Access ISSUEs |
| repo-notes | Read-only / Read-write | Access comments in commit records, ISSUEs, and pull requests |
| repo-contents | Read-only / Read-write | Access files, branches, commit records, tags, versions |
| repo-commit-status | Read-only / Read-write | Access pipeline execution status, badges, commit metadata |
| repo-cnb-trigger | Read-only / Read-write | Query, delete, trigger, execute Cloud Native Build, start Cloud Native Development |
| repo-cnb-history | Read-only | Query pipeline build history |
| repo-cnb-detail | Read-only / Read-write | Query or delete Cloud Native Development space |
| repo-basic-info | Read-only | Access basic repository information, such as repository name, description, language, license, etc. |
| repo-manage | Read-only / Read-write | Access repository members, repository settings |
| repo-delete | Read-write | Delete repository |
| repo-security | Read-only | Access repository security module data |
| registry-package | Read-only / Read-write | Access artifacts |
| registry-package-delete | Read-write | Delete artifacts |
| registry-manage | Read-only / Read-write | Access artifact registry members, artifact registry settings |
| registry-delete | Read-write | Delete artifact registry |
| account-profile | Read-only / Read-write | Access user profile |
| account-email | Read-only / Read-write | Query user verified email |
| account-engage | Read-only / Read-write | Access repositories followed by the user, followers, following, Cloud Native Development environments, etc. |
| group-resource | Read-only / Read-write | Access sub-organizations, repositories |
| group-manage | Read-only / Read-write | Access organization members, repository wall, organization settings |
| group-delete | Read-only / Read-write | Delete organization |
| mission-delete | Read-only / Read-write | Delete mission set |
| mission-manage | Read-only / Read-write | Access mission set |