# Using Xena Api with OAuth

## Using Xena API

The basic flow looks like this:

![Flow](https://3101502904-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZdybBvJaAboIV6zNHC%2F-LrxRqRBuD6PvAMzSQGr%2F-LrxRrVf2YD-ROtRIBZB%2Fapi_call.png?generation=1571915267165535\&alt=media)

1. The user enters your app.
2. The user encounters a place in your application where he wants to use Xena API.
3. He will be forced to login into the Xena.
4. After successful login, he will be transferred back to your app with tokens.
5. Your app can communicate with the Xena API by passing the user access\_token.

> See our [github samples here](https://github.com/EG-BRS/Identity.Server.Sample.Dotnet).\
> For more see [Identity Server sample clients](https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Clients/src).

## Creation

Firstly your app needs to be registered in Xena 

Then open the app and go to tab 'OAuth'.

Click on the link to Connect, and create a new client:

<figure><img src="https://3101502904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LZdybBvJaAboIV6zNHC%2Fuploads%2Fu5lDLHOsjoQsxacYHFtY%2F7%20Create%20client%20in%20OAuth.png?alt=media&#x26;token=2de4023a-831d-49fa-9d30-0f775bbf1f80" alt=""><figcaption></figcaption></figure>

> You won't be able to change the grant type later

**Client Id** - Unchangeable id that your app will be recognized in Xena (whole string with .xena.biz).\
**Name** - Your app name that will be shown to the user in the consent screen.\
**Client Uri** - link to your terms of service and privacy policy during user login.

Settings:

* Enabled - you can enable/disable your connection with the app.
* Browser access - allows obtaining the access\_token through front channel communication.
* Off-line access - Used in hybrid flow to obtain refresh\_token that can be exchanged for access\_token without user interaction.

Supported grant types:

* Implicit - mainly for browser-based applications.
* Hybrid - for applications with backend where the server will communicate with the Xena API.

### Configuration

After the client creation, you will be transferred to the edit window with a few new settings:

<figure><img src="https://3101502904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LZdybBvJaAboIV6zNHC%2Fuploads%2FYVpz7KKioLHd2XvQ5S0O%2F8%20Create%20client%20in%20OAuth.png?alt=media&#x26;token=df6d1779-c339-4915-a48a-c53511a76cdf" alt=""><figcaption></figcaption></figure>

* Scopes - Available scopes for your app. The **testapi** scope is required for [**Xena API**](https://dev.xena.biz/xena-developer/development/get-started/the-xena-api) communication.
* RedirectUri - The uri of your oidc login endpoint. These **must match** in client and configuration. (For ASP default path is yourapp.com/signin-oidc)
* Post Logout Redirect Uri - After the user logs out, he will be transferred back to your app. (For ASP default path is yourapp.com/signout-callback-oidc)
* Secrets - auto-generated secret for your app (hybrid flow)