Create OAuth Application
About 925 wordsAbout 3 min
This document aims to provide third-party developers with a standardized OAuth 2.0 application integration process, supporting application registration, user authorization (personal/resource level), temporary ticket issuance, and API access control.
Preparation - Apply for OAuth Application Registration
Application Information Registration
Currently, applications require approval from CNB administrators before they can be published. Please submit your application details to an administrator, and we will contact you to discuss the specific plan for creating your OAuth application.
Basic Application Information
| Application Info | Required | Field Description |
|---|---|---|
| Application Name | Yes | Displayed to users during authorization and on the user authorization management page; max 50 characters. |
| Application Logo | Yes | Image size must not exceed 1MB. |
| Application Description | No | Max 350 characters. |
| Official Website | Yes | Max 128 characters. |
| Redirect URL | Yes | Redirect URI used for redirection after OAuth authorization. |
| Supported Authorization Scopes | Yes | Communicated during the application creation plan, e.g., repo-code:r, account-profile:r, etc. Must be predefined. Applications should only request necessary permission scopes, and the CNB platform will evaluate the reasonableness of the authorization scope during review. |
| Authorization Resource Scope | Yes | All permissions of the current account / All public resources of the current account / Specified resources. |
Authorization Flow
The user authorization flow within the application is as follows:
- The user initiates an authorization request within the application;
- Guide the user to the CNB authorization page, carrying corresponding parameters to request their CNB identity;
- After the user agrees, CNB generates an authorization code;
- The user is redirected back to your site by CNB;
- The application uses the user's access token to access the CNB API.
1. Request User Authorization
Operate within the third-party application to initiate an authorization request. Guide the user to the platform's authorization page, carrying the following parameters:
client_id: Unique identifier of the application (assigned after listing)redirect_uri: Callback address (must match the registered information)response_type: Fixed ascode(Authorization Code Mode)scope: Requested permission scope (e.g.,repo-code:r,account-profile:r, etc.)target: Specify authorization scope,a/bindicates specifying a/b resourcesstate: Anti-CSRF token (generated by the application, returned as-is during callback)
2. Display and Confirm Authorization
Authorization Page
The user jumps to the platform's authorization page, displaying the following information:
- Basic application information (Name, Logo, Developer, Official Website)
- Details of requested permissions (broken down by scope, for example:
- Personal Permissions: View your nickname, avatar (
account-profile:r) - Resource Permissions: Read repository code (
repo-code:r)
- Personal Permissions: View your nickname, avatar (
- Target Resources (If requesting resource-level permissions, list the specific resource list for the user to select/confirm)
3. User Confirms Authorization
After the user agrees, the platform generates an Authorization Code and calls back to the third-party App via redirect_uri, with attached parameters:
code: Temporary authorization code (valid for 5 minutes)state: The anti-CSRF token submitted by the user, returned as-is
4. Third-party App Exchanges for Access Credentials
The third-party App uses the code to initiate a request to the platform's Token endpoint to exchange for a temporary ticket (Access Token):
- Request Parameters:
grant_type: Fixed asauthorization_codecode: Authorization coderedirect_uri: The callback address consistent with the applicationclient_id&client_secret: Unique identifier and key of the application (assigned by the platform, must be kept confidential)
- After platform verification passes, it returns:
access_token: Temporary ticket (valid for 2 hours, used for calling APIs)token_type: Fixed asBearerexpires_in: Validity period (seconds)refresh_token(Optional): Refresh token (used to extend the session, valid for 7 days)scope: The actual granted permission scope
Authorization Scopes
| Action Permission | Permission Type | Description |
|---|---|---|
| repo-code | Read-only / Read-write | Access code repository via Git commands |
| repo-pr | Read-only / Read-write | Access pull requests |
| repo-issue | Read-only / Read-write | Access ISSUEs |
| repo-notes | Read-only / Read-write | Access comments in commit records, ISSUEs, and pull requests |
| repo-contents | Read-only / Read-write | Access files, branches, commit records, tags, versions |
| repo-commit-status | Read-only / Read-write | Access pipeline execution status, badges, commit metadata |
| repo-cnb-trigger | Read-only / Read-write | Query, delete, trigger, execute Cloud Native Build, start Cloud Native Development |
| repo-cnb-history | Read-only | Query pipeline build history |
| repo-cnb-detail | Read-only / Read-write | Query or delete Cloud Native Development space |
| repo-basic-info | Read-only | Access basic repository information, such as repository name, description, language, license, etc. |
| repo-manage | Read-only / Read-write | Access repository members, repository settings |
| repo-delete | Read-write | Delete repository |
| repo-security | Read-only | Access repository security module data |
| registry-package | Read-only / Read-write | Access artifacts |
| registry-package-delete | Read-write | Delete artifacts |
| registry-manage | Read-only / Read-write | Access artifact registry members, artifact registry settings |
| registry-delete | Read-write | Delete artifact registry |
| account-profile | Read-only / Read-write | Access user profile |
| account-email | Read-only / Read-write | Query user verified email |
| account-engage | Read-only / Read-write | Access repositories followed by the user, followers, following, Cloud Native Development environments, etc. |
| group-resource | Read-only / Read-write | Access sub-organizations, repositories |
| group-manage | Read-only / Read-write | Access organization members, repository wall, organization settings |
| group-delete | Read-only / Read-write | Delete organization |
| mission-delete | Read-only / Read-write | Delete mission set |
| mission-manage | Read-only / Read-write | Access mission set |