Introducing Support for OAuth Flows for External Applications and Mobile Clients

Whether you’re interacting via server side web applications, client-side browser applications, or native mobile applications, as web services support more write functions and allow access to more sensitive data, it is increasingly important that information be kept secure. Our OAuth 2.0 implementation enables you to provide a secure login function for your registered users.

The OCLC OAuth 2.0 Authorization Server includes both a Web App pattern (“Explicit Authorization Flow” in OAuth terms) and a Mobile Pattern (“User Agent Flow”) and provides a safe, robust infrastructure to manage authentication and authorization interactions across clients.

  •  Expanded support for authentication of several types of clients:
    • Web Applications
    • Javascript or other User Agents
    • Mobile applications
  • Ability to use Access Tokens to authenticate to web services:
    • For a particular service or services
    • On behalf of a particular user in order to read or write data
    • For a particular institution
    • For a specific amount of time

The Authorization Server allows clients to log users in to their appropriate identity provider at the relevant institution and is built on our Identity Management (IDM) infrastructure. Applications and institutions that are configured in IDM include:

  • WorldShare Management Services (WMS) subscribers
  • WorldCat Metadata API users - When you request a WSKey for this service, we configure a cataloging user in IDM on your behalf.

Web services that utilize IDM:

  • WMS Acquisitions API
  • WMS Circulation API
  • WMS Collection Management API
  • WMS NCIP Service
  • WMS Vendor Information Center API
  • WorldCat Metadata API
  • WMS License Manager API [Beta]

Note that consuming web browsers must have cookies enabled.

Ready to get started?
In order to use this new functinoality, you will need to tell OCLC about an additional piece of information for your WSKey, a redirect URI that our Authorization Server will use to send logged in clients back to your application. We’ve added a new field for new WSKey requests where you’ll need to set the Redirect URL for your application. You can add this information to an existing WSKey by emailing with the API key string for an existing WSKey, the web service, and the redirect URI for your application. We've created a page with this, and everything else you'll need to know, about getting started using the OAuth 2.0 Authorization Server.


For further reading on OCLC WorldShare Platform Authentication and Authorization, including more details about our OAuth 2.0 implementation, we recommend Karen’s ongoing topical series:

  1. Introduction to AuthNZ for OCLC Web Services
  2. Authentication Using HMAC Signature
  3. Authentication and Authorization: User Identifiers
  4. Authentication and Authorization: Access Tokens

Keep an eye out for upcoming posts on Explicit Authorization Code, User Agent Mobile Flow, and more.

There are no Profiles matching the configured list.