New in version 3.0.
Review Board supports the OAuth2 authorization code grant mechanism for connecting third-party services. Supporting OAuth2 allows your application to use Review Board’s APIs without storing any user credentials.
Registering an OAuth2 Application¶
In order to use OAuth2, you’ll need to register an application. To do this, from the Review Board UI, go to the Account Settings page. From here, select OAuth2 Applications, and then Add application.
There are several fields to fill out in the application creation form:
- The name of the application. This can be anything, and is only used to help keep track of your various registered applications.
- Whether the application should be enabled or not.
- Redirect URIs
- After a user authenticates, Review Board will redirect back to your application. The specific location of the redirect will be specified as part of the Authorization Flow. This field defines a whitelist of which URIs will be accepted therein.
- Client Type
- The client type, as defined in :rfc:`RFC 6749 Section 2.1 <6749#section-2.1>`_.
- Authorization Grant Type
- The type of authorization flow desired by the client. We recommend using the Authorization code grant type.
- Restrict To
- If your server uses local sites, you can optionally restrict your OAuth2 application to authenticate to only a specific local site. If the drop-down field is empty, this field can safely be ignored.
Once you save your application, you will see two new settings. These will be used by your application code when requesting authorization:
- Client ID
- An ID for your client which will be sent along with requests for authorization.
- Client Secret
- A shared secret, used for verification of requests.
When your application requests authorization, you can optionally include a list
of scopes. These scopes are defined via the API resource names and a method
delete). For example, to request read access
to the review request resource, the scope ID would be
These scopes do not automatically grant access to the parent
resources, so granting read or write access to
requires granting read access to its parent,