I am building an app integration. I've implemented the OAuth flow described at https://nationbuilder.com/api_quickstart. Suppose that two nations, N1 and N2, both install my app. As a result of following the OAuth flow, my app has now obtained API tokens for both nations, so it can make API requests on behalf of either one. I want to limit who can prompt my app to act on behalf of a given nation. For example only someone affiliated with N1should be able to prompt my app to access N1's data via the NB API. Conversely someone affiliated with N1 should not be able to prompt my app to access N2's data. In order to limit access appropriately, my app needs a way to know which nation is asking it to do something. How can nations identify themselves to my app in a secure way?
Usually the apps are authenticated through OAuth for each individual nation. It wouldn't be a good idea to let people who install your app to have access to all other nations who are authenticated through the app. In general, each nation will have individual OAuth Client ID's, Client Secrets and Auth Tokens. Since only admins of that nation can generate auth tokens (through the OAuth process), it should inherently be impossible to access data from another nation from within your app (depending on how it was built). Apps are identified through the Client ID and Client secret that are registered individually through the Developer tab in NationBuilder from within each specific nation.
If you could send us more specifics on how you are building the app, we would be happy to help suss this out with you!
Please send us an email to [email protected] and we can work with you on getting this resolved.
Showing 1 reaction
Sign in with