= OAuth is an open standard for authorization that allows applications and services to access resources on behalf of a user, without sharing the user’s credentials. OAuth uses access tokens to grant permissions to applications and services to access the user’s resources1. Cisco Spark supports OAuth 2.0, which is the latest version of OAuth2.

To use OAuth access tokens with Cisco Spark, you need to follow these steps2:

Register your application or service to Cisco Spark as an integration. You will receive a client ID and a client secret, which are used to identify your application or service to Cisco Spark.

Redirect the user to the Cisco Spark authorization URL, where the user can login with their Cisco Spark credentials and grant permissions to your application or service. The permissions are defined by the scopes that you specify in the authorization URL. For example, if you want to access the user’s messages and rooms, you need to request the spark:messages_read and spark:rooms_read scopes.

Receive an authorization code from Cisco Spark, which is sent to the redirect URI that you specify in the authorization URL. The redirect URI must match the one that you registered with Cisco Spark.

Exchange the authorization code for an access token and a refresh token from Cisco Spark, using your client ID and client secret. The access token is used to access the user’s resources on Cisco Spark, such as messages, rooms, people, etc. The refresh token is used to obtain a new access token when the current one expires.

Use the access token to make API requests to Cisco Spark on behalf of the user. You need to include the access token in the Authorization header of your HTTP requests, such as Authorization: Bearer <access_token>.

Therefore, the two options that are requirements to use OAuth access tokens with Cisco Spark are:

C. Applications can only request the access token when the authenticated user grants permissions to this service. This is true because the user needs to authorize the application or service to access their resources on Cisco Spark, by logging in and consenting to the scopes that the application or service requests.

E. Services can request the access token only when the authenticated user grants permissions to this service. This is also true because the service needs to obtain the user’s consent to access their resources on Cisco Spark, by redirecting the user to the Cisco Spark authorization URL and receiving an authorization code.

The other options are not requirements to use OAuth access tokens with Cisco Spark, because:

A. Tokens must request access to servers before applications register to Cisco Spark. This is false because tokens are not entities that can request access to servers. Tokens are strings that represent the permissions that the user grants to the applications or services. Applications or services need to register to Cisco Spark before they can request tokens, not the other way around.

B. Servers must register to Cisco Spark as an application to request access tokens. This is false because servers are not the same as applications. Servers are physical or virtual machines that host applications or services. Applications or services are software programs that interact with Cisco Spark. Servers do not need to register to Cisco Spark, but applications or services do.

D. Applications must register to Cisco Spark as a server to request access tokens. This is also false because applications are not the same as servers. Applications are software programs that interact with Cisco Spark. Servers are physical or virtual machines that host applications or services. Applications do not need to register to Cisco Spark as servers, but as integrations.

References := OAuth 2.0, Cisco Spark for Developers - Authentication