|
| 1 | +# Machine-to-Machine (M2M) Token Guide for Topcoder Review API |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +The Topcoder Review API supports machine-to-machine (M2M) authentication using Auth0 for service-to-service integrations. |
| 6 | +This guide explains how to use M2M tokens with the API. |
| 7 | + |
| 8 | +## What are M2M Tokens? |
| 9 | + |
| 10 | +Machine-to-Machine tokens are designed for service-to-service authentication where a human user is not directly involved. |
| 11 | +Instead of using user roles for authorization, M2M tokens use scopes, which are permissions attached to the token. |
| 12 | + |
| 13 | +## M2M Token Structure |
| 14 | + |
| 15 | +M2M tokens from Auth0 contain the following important claims: |
| 16 | +- `iss` (issuer): The Auth0 domain that issued the token |
| 17 | +- `sub` (subject): The client ID of the application |
| 18 | +- `aud` (audience): The API identifier (audience) |
| 19 | +- `exp` (expiration time): When the token expires |
| 20 | +- `iat` (issued at time): When the token was issued |
| 21 | +- `scope`: Space-separated list of authorized scopes |
| 22 | + |
| 23 | +## Available Scopes |
| 24 | + |
| 25 | +The Topcoder Review API supports the following scopes: |
| 26 | + |
| 27 | +### Appeal Scopes |
| 28 | +- `create:appeal` - Create appeals |
| 29 | +- `read:appeal` - Read appeals |
| 30 | +- `update:appeal` - Update appeals |
| 31 | +- `delete:appeal` - Delete appeals |
| 32 | +- `create:appeal-response` - Create appeal responses |
| 33 | +- `update:appeal-response` - Update appeal responses |
| 34 | +- `all:appeal` - All appeal-related operations |
| 35 | + |
| 36 | +### Contact Request Scopes |
| 37 | +- `create:contact-request` - Create contact requests |
| 38 | +- `all:contact-request` - All contact request operations |
| 39 | + |
| 40 | +### Project Result Scopes |
| 41 | +- `read:project-result` - Read project results |
| 42 | +- `all:project-result` - All project result operations |
| 43 | + |
| 44 | +### Review Scopes |
| 45 | +- `create:review` - Create reviews |
| 46 | +- `read:review` - Read reviews |
| 47 | +- `update:review` - Update reviews |
| 48 | +- `delete:review` - Delete reviews |
| 49 | +- `create:review-item` - Create review items |
| 50 | +- `update:review-item` - Update review items |
| 51 | +- `delete:review-item` - Delete review items |
| 52 | +- `all:review` - All review operations |
| 53 | + |
| 54 | +### Scorecard Scopes |
| 55 | +- `create:scorecard` - Create scorecards |
| 56 | +- `read:scorecard` - Read scorecards |
| 57 | +- `update:scorecard` - Update scorecards |
| 58 | +- `delete:scorecard` - Delete scorecards |
| 59 | +- `all:scorecard` - All scorecard operations |
| 60 | + |
| 61 | +## Getting an M2M Token |
| 62 | + |
| 63 | +To get an M2M token, you need to have a client registered in Auth0 with the appropriate permissions. |
| 64 | + |
| 65 | +### Example Request |
| 66 | + |
| 67 | +```bash |
| 68 | +curl --request POST \ |
| 69 | + --url https://topcoder-dev.auth0.com/oauth/token \ |
| 70 | + --header 'content-type: application/json' \ |
| 71 | + --data '{ |
| 72 | + "client_id": "YOUR_CLIENT_ID", |
| 73 | + "client_secret": "YOUR_CLIENT_SECRET", |
| 74 | + "audience": "https://m2m.topcoder-dev.com/", |
| 75 | + "grant_type": "client_credentials" |
| 76 | + }' |
| 77 | +``` |
| 78 | + |
| 79 | +### Example Response |
| 80 | + |
| 81 | +```json |
| 82 | +{ |
| 83 | + "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...", |
| 84 | + "scope": "read:appeal create:review all:scorecard", |
| 85 | + "expires_in": 86400, |
| 86 | + "token_type": "Bearer" |
| 87 | +} |
| 88 | +``` |
| 89 | + |
| 90 | +## Using the Token |
| 91 | + |
| 92 | +Include the token in your API requests in the Authorization header: |
| 93 | + |
| 94 | +``` |
| 95 | +Authorization: Bearer YOUR_ACCESS_TOKEN |
| 96 | +``` |
| 97 | + |
| 98 | +## Scope Validation |
| 99 | + |
| 100 | +When a request is made to the API, the token's scopes are validated against the required scopes for the endpoint. |
| 101 | +If the token has at least one of the required scopes, access is granted. |
| 102 | + |
| 103 | +### Notes on "all:" Scopes |
| 104 | + |
| 105 | +Scopes that start with "all:" automatically grant access to all the specific operations in that category. |
| 106 | +For example, `all:review` includes `create:review`, `read:review`, `update:review`, etc. |
| 107 | + |
| 108 | +## Testing M2M Tokens |
| 109 | + |
| 110 | +For testing locally, you can use the following predefined test tokens: |
| 111 | + |
| 112 | +- `m2m-token-all` - Has all available scopes |
| 113 | +- `m2m-token-review` - Has all review scopes |
| 114 | +- `m2m-token-scorecard` - Has all scorecard scopes |
| 115 | + |
| 116 | +Example usage with curl: |
| 117 | + |
| 118 | +```bash |
| 119 | +curl -X GET http://localhost:3000/api/reviews \ |
| 120 | + -H "Authorization: Bearer m2m-token-review" |
| 121 | +``` |
| 122 | + |
| 123 | +## Troubleshooting |
| 124 | + |
| 125 | +If you receive a 403 Forbidden response, check that: |
| 126 | +1. Your token is valid and not expired |
| 127 | +2. The token has the required scope for the endpoint |
| 128 | +3. You're using the correct audience and issuer |
0 commit comments