« Back to SOAP operation list

App Client and User Authentication

In order to interact with Infojobs web services you need to comply with two levels of security:


  • 1. App Client Authentication

  • 2. User Authentication


Client authentication is required in every request, while user authentication is only required for private operations that need to perform actions on behalf of a user.


Within this context, an app client is a system used to integrate information obtained from infojobs with information from other companies that collaborate with Infojobs. Also, throughout these documents we have used the term user to describe a company employee that can post and manage job offers from his/her Infojobs account.


Each of these levels is explained more in depth in the following sections.

App Client authentication

Every SOAP request has to be authenticated both for security reasons and for issue troubleshooting aid. The way to provide client credentials is using the WSSE (Web Services Security) standard. In order to authenticate an app client, a ClientId and a Client Secret is needed. This credentials will be provided to you by Infojobs.


The credentials must be included in the security header of the soap envelope in all the requests. In the following example a ClientId SOAP-TEST and a Client Secret SOAP-TEST-SECRET are passed in the security header. 


 <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-799830164" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
           <wsse:Username>SOAP-TEST</wsse:Username>
           <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SOAP-TEST-SECRET</wsse:Password>
        </wsse:UsernameToken>
    </wsse:Security>
 </soapenv:Header>

As you can see a wsse tag has been included in the soap header. This tag contains a UsernameToken tag with the username and password tag inside. Also notice the wsse:Password tag has an attribute type that must be explicitly provided. 


   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
      SOAP-TEST-SECRET
   </wsse:Password>

User authentication

Some SOAP operations need to perform actions on behalf of an user. For instance, posting a job offer. In order to execute private operations an accessToken must be provided in the header of the soap envelope request. This token authenticates an user on behalf of which the operations will be executed. To obtain an access token the getAccessToken operation must be used. The following criteria must be met in order to successfully generate an access token:


 

  • 1 - The company needs to be associated to the app client. This step will be performed by Infojobs.
  • 2 - Users need to authorize the app client to perform an operation from their Infojobs private menu. If a company has more than an user, separate authorizations must be issued.

 


If any of this criteria is not met a soap fault will be returned. Below you can see an example of how to send the access token in the soap header. 


 <soapenv:Header xmlns:ij="http://api.infojobs.net/soap/authn" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Security soapenv:mustUnderstand="1">
       <wsse:UsernameToken >
          <wsse:Username>SOAP-TEST-wsint0201</wsse:Username>
	  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">dummySecret</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
    <strong>
    <ij:authnHeader>
	<token>20000000-0000-0000-0000-0000</token>
    </ij:authnHeader>
    </strong>
 </soapenv:Header>

Once issued an access token will not expire, it is not necessary to request a new one every time you execute a private operation.


How users authorize an App Client

To authorize an app client, users need to access their private menu and navigate to their account configuration area in the Infojobs private menu. Within this area they will find a link pointing to the external applications page. The user will have all app client operations disbled by default. The user should find your client name and authorize all necessary operations.


Note: An authorization can be rejected and re-granted as many times as the user wishes.


The following screenshots describe how a user can perform the authorization procces from a company in Spain. The first screen shows the private menu for a given company, while the second screen is very similar for all company types.


Figure 1: Company private menu


Figure 2: External Application page