Magidoc

👋 Hi

Welcome to Carerix's GraphQL documentation.

GraphQL API is available via https://api.carerix.io/graphql/v1/graphql endpoint. For authorization you need an OAuth2 access token, which can be obtained using next instructions:

  • Create a client in your Carerix application via "Identity Access" menu, "Clients" tab;
  • Obtain an access token using OpenID Connect protocol ;
  • Include token into Authorization header, like: Authorization: Bearer $TOKEN .

Setting up a client

#

Clients are applications and services that are accessing user's or its own data, for example via this API. There are two types of clients defined by OAuth2 specification : public and confidential . In order to choose between them, one must understand how the client will perform an authentication.

If an application cannot securely store credentials (e.g. because its code is executed at user's device, like in a web browser or as a mobile app), then a public client must be created. If an application can store its secret in a way that it is not exposed to a user (e.g. because its code is executed at a web server), then a confidential client must be created.

Public

#

Public clients are applications that cannot securely store credentials because they run on devices or platforms that are accessible to end users, for example a browser plugin, a web frontend application or a native mobile application. Public client acts on behalf of an authenticated user and does not have it's own service account.

In order to obtain an access token, such client has to use authorization_code flow. Carerix also highly recommends to use Proof Key for Code Exchange (PKCE) extension in order to prevent CSRF and authorization code injection attacks.

Confidential

#

Confidential clients are applications that are able safely store their client_secret and thus able to securely authenticate with the authorization server. For example: a middleware, an API service or a web backend application. Confidential client acts on its own behalf, having a dedicated service account with a set of assigned permissions.

In order to obtain an access token, such client has to use client_credentials flow.