Versions Compared

Old Version 74

changes.mady.by.user Remo Räber

Saved on

compared with

New Version 88

changes.mady.by.user Remo Räber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Faces supports multiple Oauth2 grant flows, depending on the individual requirements of the client application. The following table lists possible flows:

TypePurposeDescriptionRestrictions
Authorization CodeInteract with the API on behalf of an end-user

Allows an application to act on behalf of a (or multiple) specific user within Faces. The Authorization Code Flow requires the client application to open a popup-window where an user signs into Faces and explicitly allows access.

Once Access has been granted, a refresh-token is issued which allows further access without additional human interaction.

Not all API operations may be available, depending on the authorization level of the user. (e.g. company data can not  be queried or updated by a traveller)
Implicit
 Similar to the Authorization Code flow, with the difference that no refresh-token will be issued and thus only temporary access of maximum one hour is possible before re-confirmation is needed.

Same as for Authorization Code.

 

Note

The implicit flow is considered deprecated / unsafe and should no longer be used https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-09#section-2.1.2

Please consider using the Authorization Code Grant

Client CredentialsMachine-to-Machine communicationCurrently allows a specific OAuth2 Client to be linked to a specific travel agency in Faces. No end-user interaction is requiredID-Tokens cannot be requested since the access is not tied to a specific user.

...

Code Block
languagejs
{
    "access_token": "eb0afd63-7ad3-4b0f-a3cb-bacbbf4cac7c",
    "token_type": "bearer",
    "refresh_token": "0561038e-02d3-48e4-a859-399acacad59c",
    "expires_in": 3599
} 
Note

Please do only rely on the "access_token", "token_type", "refresh_token" and "expires_in" attributes within the token response payload.
There might be supplemental information in additional attributes which can change frequently and without any advance notice

 

Step 5: Get new access token

...

As a result, a new access token will be issued.

 

Note

Please do only rely on the "access_token", "token_type", "expires_in" attributes within the token response payload.
There might be supplemental information in additional attributes which can change frequently and without any advance notice


Anchor
IDToken
IDToken
ID token

...

Code Block
languagejs
titleAccess Token with additional id_token
{
  "access_token": "f88a7119-b585-4c9c-9867-88a40aae41f8",
  "token_type": "bearer",
  "refresh_token": "bab32afe-acf8-4a8e-ba7c-ed567daa0ee4",
  "expires_in": 3599,
  "scope": "email openid profile",
  "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJvcGVuaWQiOiIzZDkyMDVjYS1mMjY0LTRhZDgtYjFhYy1lNjQ1NTU3ZWFhOTkiLCJwcm9maWxlIjp7ImZpcnN0bmFtZSI6IlJlbW8iLCJwaG9uZSI6Iis0MTQ0MTIzNDU2NyIsImRpc3BsYXluYW1lIjoiSGVyciBSZW1vIFLDpGJlciIsIm5hbWUiOiJSw6RiZXIifSwiZW1haWwiOiJyZW1vLnRlc3RAdW1icmVsbGEuY2gifQ.ni2_4eszvqV5JgWBzJNmQ8jq225_7i-TiMAFzSGDSkPt6J5CTPSQF5wsq_Og5tOzd39nybGfwRzDyAkAOWinU2_djUv58gMx095U77ccSlSVYca6sn8t8WL62v8AOPSO9h8ok52nQpjtZFWcni4KABlcCKd_feT_5KjAmsRQwf7NZ0gqkoP3Y4Ymo454N8ezu822slF-ub4UdA1VBHDZuCJtQWbdsT2Cfep1NWRf3by_uP2s6yxHcHmQ0R_kYwXKMW2SbxyGo821cN-sxXYmppb4ipDtPKC7ANUYc5wZQ2Gp0gAenMIfxooz0njkEWKKMq3pwZWNJnWHDwVsluqI_w"
} 

 

Note

Please do only rely on the "access_token", "token_type", "refresh_token", "expires_in", "scope" and "id_token" attributes within the token response payload.
There might be supplemental information in additional attributes which can change frequently and without any advance notice

Decoded ID-Token

The following extract depicts a decoded ID-Token from the value of "id_token" in the response above

...

Umbrella Faces logically divides a greeting into common title and formal title. The common title is restricted to a predefined list (please see the swagger document for the most up to date list), whereas the formal title allows storage of freetext title information with the limitation of only showing certain formal titles in the UI.

 

Note

Depending on the travel agency setup, not all combinations of common / formal title are supported by the Faces UI. It's best to consult with the travel agency on their setup to ensure a consistent user experience.

The common titles referenced in the swagger definition are generally valid for every agency.

Please refer to the following tablestable:

Expand
titleFormal Titles
Formal TitleTitle Structure "Default"Title Structure "Compound" *
Master(error) Not supported(tick) Supported
Mx(error) Not supported(tick) Supported
DR(tick) Supported(tick) Supported
PROF(tick) Supported(tick) Supported 
Rev(error) Not supported(tick) Supported
Sir(error) Not supported(tick) Supported
Lord(error) Not supported(tick) Supported
Lady(error) Not supported(tick) Supported

* Titles are supported, if no commonTitle is set. Since for "Compound" the UI is only using a single drop-down it is not possible to display a title such as MR DR.

Using compoundTitle vs commonTitle & formalTitle

TBD

 

Umbrella Faces in it's backend always stores the compoundTitle, but transparently derives common and formal title in API requests using the following general format: compoundTitle = trim(commonTitle + " " + formalTitle).

When updating a profile in Umbrella Faces, it is important to only send either the compoundTitle or commonTitle / formalTitle but never both structures.

Expand
titleAPI Request Examples
compoundTitle in API requestresulting commonTitleresulting formalTitleRemarks
MSMS  
MR DRMRDRIf the travel agency is using title structure "Compound", the stored value will not be visible in the UI since "MR DR" is unsupported
MISS LadyMISSLady

Not supported by the Faces UI - would show as follows:

  • Title Structure Default: "Lady" would not be visible in the UI
  • Title Structure Compound: Title in the UI would be shown as "-" since a combination of "MISS Lady is unsupported
PROF MRSUNDEFINEDPROF MRS

Invalid request results in incorrect parsing since the commonTitle is to be sent as the first part of the compoundTitle

PROFUNDEFINEDPROF 
RevUNDEFINEDRevIf the travel agency is using title structure "Default", the stored value will not be visible in the UI
Greeting validation

It is important to note that the commonTitle is mandatory whenever sex is set to MALE or FEMALE if the agency is using Title Structure "Default".
Should you create / update a profile using compoundTitle, you might still get an errorMessage for greeting.commonTitle in case the supplied compoundTitle can not be derived into a valid commonTitle.

Create new traveler profile

...

Code Block
languagebash
titleExample request
curl -v -H "Authorization: Bearer <token>" \
    "https://hurricane.umbrellanet.ch/uf-test/api/v1/reference-data/air-providers?profileType=TRAVELLER"

Get hotel chain codes

Scopes

(none needed)

Endpoints

api/v1/reference-data/hotel-chains

Request methodGET

Fetch a list of available hotel chain code options

Code Block
languagebash
titleExample request
curl -v -H "Authorization: Bearer <token>" \
    "https://hurricane.umbrellanet.ch/uf-test/api/v1/reference-data/hotel-chains"

Get rental car providers

Scopes

(none needed)

Endpoints

api/v1/reference-data/car-providers

Request methodGET

...