Tutorial

How To Use OAuth Authentication with DigitalOcean as a User or Developer

How To Use OAuth Authentication with DigitalOcean as a User or Developer

Introduction

Version 2 of the DigitalOcean API includes many changes that improve the experience for everybody. One of the most important new features is OAuth authentication for users and applications.

The OAuth system allows you to authenticate with your account using the API. This access can be granted in the form of personal access tokens for straight-forward use cases, but it also allows flexibility in allowing applications to access your account.

In this guide, we will discuss how grant or revoke an application’s ability to access to your account. We will also discuss the other side of the interaction by walking through how to register applications that leverage the API with DigitalOcean. This will allow you to use OAuth to request access to your users’ accounts.

Authorizing Applications to Use Your Account as a User

If you are simply interested in giving applications access to your account, you will be able to grant authorization through the application and revoke access through the DigitalOcean control panel.

When using an application that utilizes DigitalOcean’s OAuth authentication, you will be redirected to a page to choose whether you would like to grant the application access to your DigitalOcean account.

The page will look like this:

DigitalOcean app auth request

The request will define whether the application is requesting read-only access, or read & write access. If you decide to grant the requested access, you will be returned to the application, which will now authenticate to operate on your account.

If you wish to revoke access, simply go to your DigitalOcean account and click on the “Apps & API” section in the left-hand navigation menu of the control panel:

DigitalOcean left-hand nav

Under the “Authorized Applications” section, you should see an entry for each of the applications you have granted access.

DigitalOcean authorized app

Click on the “revoke” button to remove the associated application’s access to your account:

DigitalOcean oauth revoke

The application will no longer have access to your account.

Using OAuth to Authenticate Users as a Developer

To utilize OAuth as a developer, you need to go through two separate processes. First, you must register your application to gain the credentials necessary to request access. Afterwards, you must develop your application to correctly make requests and handle the responses from both the user’s browser and the DigitalOcean servers.

Registering Developer Applications with DigitalOcean

If you are a developer needing to authenticate users through OAuth, you first need to register your application through the DigitalOcean control panel.

In the “Apps & API” section of the control panel, in the middle of the page, you will see a section titled “Developer Applications”:

DigitalOcean developer applications section

To register a new application, click on the “Register new application button” on the right-hand side:

DigitalOcean register app

You will be taken to the registration page.

DigitalOcean app registration info

Here, you will need to supply some basic information like your application’s name and homepage, and provide a brief description. Keep in mind that this information will show up on the authorization request page for users.

You will also need to supply a callback URL for the application. This is a location where you will configured your application to handle authorization responses. See the next section, or the OAuth Authentication guide, to learn more about what is necessary to process an OAuth request.

When you submit your details, you will be taken to a page with the information needed to build the authorization application or script that will live at the callback URL you provided. This includes your client ID, your client secret, and a pre-formatted authorization request link to redirect users to:

DigitalOcean app details

Implementing DigitalOcean OAuth in your Application

To implement OAuth authentication, your application must first redirect your users to an endpoint at:

https://cloud.digitalocean.com/v1/oauth/authorize

This redirect should contain your client ID, the callback URL as the value of redirect_uri, and set response_type=code. You can optionally set the scope of token that you are requesting (e.g. scope=read%20write for full access). An example redirect might look like:

https://cloud.digitalocean.com/v1/oauth/authorize?client_id=client_id&redirect_uri=callback_URL&response_type=code&scope=read%20write

When the user is redirected to your supplied callback URL after granting access, a code that you need to capture will be included as a query parameter.

Next, send a POST request to:

https://cloud.digitalocean.com/v1/oauth/token

Include your client ID, client secret, the callback URL as the redirect_uri value, the code you received from the user redirect, and set grant_type=authorization_code. An example request might look like this:

https://cloud.digitalocean.com/v1/oauth/token?client_id=client_id&client_secret=client_secret&code=code_from_user_redirect&grant_type=authorization_code&redirect_uri=callback_URL

The entire response will look something like this:

{"provider"=>:digitalocean, "info"=>{"name"=>"some_name", "email"=>"user@example.com"}, "credentials"=>{"token"=>"$AUTH_TOKEN", "expires_at"=>1405443515, "expires"=>true}, "extra"=>{}}

You can then use the AUTH_TOKEN in subsequent requests to take actions on the user’s account.

Most developers will leverage an OAuth library for their language of choice to make this process simpler, but it is always good to have a general idea of what is happening behind the scenes.

Accepted Scopes

Scopes let you specify the type of access you need. Scopes limit access for OAuth tokens. Here is the list of scopes accepted by the DigitalOcean OAuth endpoint:

Name Description
(no scope) Defaults to read scope.
read Grants read-only access to user account. This allows actions that can be requested using the GET and HEAD methods.
read write Grants read/write access to user account, i.e. full access. This allows actions that can be requested using the DELETE, PUT, and POST methods, in addition to the actions allowed by the read scope.

Developer Resources

omniauth-digitalocean Gem

Since DigitalOcean uses Ruby internally, we are providing an open source OAuth strategy for the community to use. The omniauth-digitalocean gem is on Github and published to RubyGems. It’s based on OmniAuth, the widely used Rack-based library for multi-provider authentication, and is an easy way to integrate “sign in with DigitalOcean" into Rails and Rack frameworks.

Conclusion

OAuth is a well established way of granting applications access to your account or requesting account access from users. The DigitalOcean “Apps & API” page strives to make this process as straight-forward as possible for both parties.

For a technical overview of DigitalOcean’s OAuth API, click here: DigitalOcean OAuth Overview.

To learn more about how OAuth works, check out our community article: An Introduction to OAuth 2.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
5 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Elan Hasson
DigitalOcean Employee
DigitalOcean Employee badge
February 9, 2022

Updated documentation can be found here: https://docs.digitalocean.com/reference/api/oauth-api/

So can this be used to automatically create a droplet for a user? He clicks a button on my site, he authorizes RW access using OAuth and then I can call a create droplet API endpopint, right?

Hi, i’m using django and django-allauth, but when i’m trying to login via facebook it gives me “server error 500”. So is it related to this? I mean i have to use DO authentication app? Or is there some other way?

Andrew SB
DigitalOcean Employee
DigitalOcean Employee badge
July 24, 2014

@beau.harder: There isn’t currently a /user endpoint. You can see the full API documentation here:

https://developers.digitalocean.com/v2/

We’re still looking for feedback on version 2. So if there’s anything you feel is missing, feel free to open an issue on our GitHub page:

http://do.co/APIv2_feedback

Is there a URL that will return the user info? i.e. GitHub’s is https://api.github.com/user, and Google’s is https://www.googleapis.com/oauth2/v1/userinfo

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.