Create OAuth Application
About 1438 wordsAbout 5 min
This document introduces the standard OAuth 2.0 application integration process, covering application registration, user authorization (personal/resource level), temporary ticket issuance, and API access control.
Preparation - Apply for OAuth Application Registration
App Information Registration
Currently, applications require approval from CNB administrators before they can be published. Please submit your application details to an administrator, and we will contact you to discuss the specific OAuth application creation plan.
Basic Application Information
| Application Info | Required | Field Description |
|---|---|---|
| Application Name | Yes | Displayed to users during authorization and on the user authorization management page; max 50 characters. |
| Application Logo | Yes | Image size must not exceed 1MB. |
| Application Description | No | Max 350 characters. |
| Official Website | Yes | Max 128 characters. |
| Redirect URL | Yes | Redirect URI, used for redirection after OAuth authorization. |
| Supported Authorization Scopes | Yes | Communicated during the application creation plan, e.g., repo-code:r, account-profile:r, etc. Must be predefined. Applications should only request necessary permission scopes, and the CNB platform will evaluate the reasonableness of the authorization scope during review. |
| Authorization Resource Scope | Yes | All permissions of the current account / All public resources of the current account / Specified resources. |
Authorization Process
The authorization process for users within the application is as follows:
- The user initiates a CNB authorization request within the application;
- Redirect the user to CNB's authorization page, carrying the corresponding parameters to request their CNB identity;
- After the user agrees, CNB will launch the application or redirect to the third-party website, carrying the authorization temporary ticket
codeparameter; - Exchange for an
access_tokenvia API using thecodeparameter plus ClientID and ClientSecret; - Invoke interfaces using the
access_tokento obtain basic user data resources or help users perform basic operations.
1. Initiate Authorization Request
Third-party websites/apps can initiate authorized login by opening the following link in a browser:
https://cnb.cool/oauth2/auth?client_id=CLIENTID&redirect_uri=REDIRECT_URI&response_type=code&state=STATEIf prompted "The link cannot be accessed", please check if parameters are filled incorrectly, such as the domain of redirect_uri not matching the authorization domain filled during review.
The following are the parameters required for the above steps:
response_type: Indicates the authorization type, required, fixed value iscode.client_id: Indicates the client ID, required.redirect_uri: Indicates the redirect URI, optional.state: Indicates the current state of the client, can be any value; the authentication server will return this value unchanged.
GET /oauth2/auth?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: cnb.coolThe server responds to the client with a URI containing the following parameters:
code: Indicates the authorization code, required. Usually valid for 10 minutes. The client can only use this code once; otherwise, it will be rejected by the authorization server. This code has a one-to-one correspondence with theClient_IDandRedirect URI.state: If the client request included this parameter, the authentication server response must include the same parameter.
After the user grants authorization, they will be redirected to the redirect_uri URL with the code and state parameters. Example:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz2. Get access_token via code
The HTTP request from the client to the authentication server to apply for a token contains the following parameters:
grant_type: Indicates the authorization mode, required, fixed value isauthorization_code.code: The authorization code obtained in the previous step, required.redirect_uri: Redirect URI, optional, must match the value in the first step's code request.
client_id/client_secret can also be sent to the server in the Authorization field of the request header in the form of Base64 encoding via HTTP Basic Authentication.
POST /oauth2/token HTTP/1.1
Host: cnb.cool
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2FcbThe HTTP response sent by the authentication server includes the following parameters:
access_token: Indicates the access token, 8-hour validity, required.token_type: Indicates the token type, case-insensitive, required, can bebearerormac.expires_in: Indicates expiration time in seconds. If omitted, the expiration must be set via other means.refresh_token: Indicates the update token, used to get the next access token, optional.scope: Indicates permission scope; if consistent with the client's requested scope, this can be omitted.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}3. Update Token via refresh_token
The access_token is the credential for calling authorization-related APIs, with a short validity period (8 hours). When the access_token expires, use the refresh_token to refresh it. A new token and refresh token are returned after each refresh. Old tokens remain usable during a grace period (5 minutes). Please keep the relevant tokens secure.
The refresh_token has a longer validity period (180 days). When the refresh_token expires, the user must re-authorize.
The client issues an HTTP request to update the token, containing the following parameters:
grant_type: Indicates the authorization mode, fixed value isrefresh_token, required.refresh_token: The refresh token received earlier, required.
POST /oauth2/token HTTP/1.1
Host: cnb.cool
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIAThe return example is the same as access_token.
4. Revoke Token
When a user logs out or an application needs to proactively invalidate a token, call the revoke endpoint to revoke an access_token or refresh_token. Once revoked, the token is immediately invalidated and can no longer be used for API calls.
The client issues an HTTP request to revoke a token, containing the following parameters:
token: The token to be revoked (access_tokenorrefresh_token), required.client_id: The client ID, optional; can also be passed via HTTP Basic Authentication.client_secret: The client secret, optional; can also be passed via HTTP Basic Authentication.
client_id/client_secret can also be sent to the server in the Authorization field of the request header in the form of Base64 encoding via HTTP Basic Authentication.
POST /oauth2/revoke HTTP/1.1
Host: cnb.cool
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
token=2YotnFZFEjr1zCsicMWpAAThe HTTP response sent by the authentication server:
- On successful revocation, returns HTTP
200. - If the provided token is invalid or already expired, the server also returns HTTP
200(compliant with RFC 7009). - If
client_id/client_secretauthentication fails, the server returns HTTP401with error details in the response body.
HTTP/1.1 200 OKExample response on authentication failure:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"error": "invalid_client",
"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."
}Authorization Scopes
| Action Permission | Permission Type | Description |
|---|---|---|
| repo-code | Read-only / Read-write | Access code repository via Git commands |
| repo-pr | Read-only / Read-write | Access pull requests |
| repo-issue | Read-only / Read-write | Access ISSUEs |
| repo-notes | Read-only / Read-write | Access comments in ISSUEs, and pull requests |
| repo-contents | Read-only / Read-write | Access files, branches, commit records, tags, versions |
| repo-commit-status | Read-only / Read-write | Access pipeline execution status, badges, commit metadata |
| repo-cnb-trigger | Read-only / Read-write | Query, delete, trigger, execute Cloud Native Build, start Cloud Native Development |
| repo-cnb-history | Read-only | Query pipeline build history |
| repo-cnb-detail | Read-only / Read-write | Query or delete Cloud Native Development space |
| repo-basic-info | Read-only | Access basic repository information, such as repository name, description, language, license, etc. |
| repo-manage | Read-only / Read-write | Access repository members, repository settings |
| repo-delete | Read-write | Delete repository |
| repo-security | Read-only | Access repository security module data |
| registry-package | Read-only / Read-write | Access artifacts |
| registry-package-delete | Read-write | Delete artifacts |
| registry-manage | Read-only / Read-write | Access artifact registry members, artifact registry settings |
| registry-delete | Read-write | Delete artifact registry |
| account-profile | Read-only / Read-write | Access user profile |
| account-email | Read-only / Read-write | Query user verified email |
| account-engage | Read-only / Read-write | Access repositories followed by the user, followers, following, Cloud Native Development environments, etc. |
| group-resource | Read-only / Read-write | Access sub-organizations, repositories |
| group-manage | Read-only / Read-write | Access organization members, repository wall, organization settings |
| group-delete | Read-only / Read-write | Delete organization |
| mission-delete | Read-only / Read-write | Delete mission set |
| mission-manage | Read-only / Read-write | Access mission set |