Skip to main content

Authentication and Authorisation Overview

Authentication

TeamFolio Synapse authenticates requests using OAuth 2.0 client credentials flow or on-behalf-of grant flow. Authentication is the process of proving that you are who you say you are. This is achieved by verification of the identity of the calling application (confidential client).

Client Credentials Flow

The OAuth 2.0 client credentials flow permits a confidential client to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.

Because the confidential client's own credentials are being used, these credentials must be kept safe.

In the client credentials flow, permissions are granted directly to the confidential client itself by an administrator. When the confidential client presents a token to a resource, the resource enforces that the confidential client itself has authorization to perform an action since there is no user involved in the authentication.

For information on how to authorise a confidential client to call the TeamFolio Synapse API and how to obtain the tokens needed within a Microsoft 365 environments, please find documentation here.

On-Behalf-Of Grant Flow

The on-behalf-of (OBO) flow describes the scenario of a web API using an identity other than its own to call another web API. Referred to as delegation in OAuth, the intent is to pass a user's identity and permissions through the request chain.

For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform. It only uses delegated scopes and not application roles. Roles remain attached to the principal (the user) and never to the application operating on the user's behalf. This occurs to prevent the user gaining permission to resources they shouldn't have access to.

For information on how to authorise a confidential client application to call the TeamFolio Synapse API and how to obtain the tokens needed within a Microsoft 365 environments, please find documentation here.