Authentication and Authorization

A token is required to integrate with LINE WORKS, such as using APIs.

Access token
- A token required to use the LINE WORKS APIs
ID token
- A token required to securely access the information of authenticated members.

Get an access token {#access-token}

An access token is required to use the LINE WORKS APIs. Get an access token as described below to make an API call.

For how to make an API call, see API Call.

What is an access token {#about-access-token}

An access token is credential information required to access the information of teams, members, calendars, and bots. It is compliant with OAuth 2.0.

You can get an access token from the authentication server of LINE WORKS. Under the authentication process, permission to access a member's resources is temporarily delegated to the access token. With the access token, the user can use the API to securely access the resources.

Access scope {#scope}

The access scope of an access token is determined by the following two factors:

Authority of the member who gets the access token
Specified scope

The access scope is basically specified according to the authority of the member who gets the access token. In addition to this, the specified scope determines which APIs can be accessed with the access token.

For more information, see OAuth Scopes.

For the scope required to call each API, see the description of each API operation.

How to get an access token {#how-to-issue-access-token}

You can get an access token in two ways:

	Authentication with a user account	Authentication with a service account (JWT)
Overview	Get an access token after authentication with a user account.	Get an access token after authentication with a virtual administrator account (service account).
Purpose	To integrate the APIs with your mobile app or web app.	For bots or the batch processing system to use the APIs.
Authentication method	• OAuth 2.0 (Authorization Code Grant) • OpenID Connect (OIDC)	JWT-based method that extends OAuth 2.0
Access scope	The authority of the authenticated member is delegated to the access token. The access scope is determined by the OAuth scope.	The administrator authority is delegated to the access token. The access scope is determined by the OAuth scope.
How to get an access token	Log in with a user account (ID and password) on the login page and request an authorization code.	Create a JWT from the service account information and request permission.

For more information, see the pages of each authentication method.

How to get an ID token issuance {#id-token}

An ID token is used to get the information of a logged-in member. An ID token is provided with validation as defined in OpenID Connect Core 1.0 (hereinafter, OIDC).

Difference from getting member information using the User API {#about-get-user-profile}

The User API also gets member information, but with an ID token, it is comparatively safe to get member information through a separate validation process.

How to use an ID token {#how-to-use-id-token}

You can get and validate an ID token based on OIDC.

Caution
Getting an ID token requires authentication with a user account; it cannot be done using a service account. For more information, see How to Use an ID Token.

Manage and set up client credentials {#manage-client-authentication-information}

You can manage and set up client credentials and access scopes required to get an ID token in the client app.

Client app {#about-app}

A client app is a unit to manage the following: information required to publish a token when you manipulate resources including teams, members, calendars, and bots; information required to use the APIs, such as a service account only for the app.

The client app manages the following types of information.

■ Basic information {#app-basic-information}

It is the basic information of the client app.

Field	Description
App name	App name specified when an app is added. You can change the app name.
App description	You can add a description about the app.

■ Client credentials and access scope {#client-setting}

It is the required information for both authentication with a user account and authentication with a service account.

Field	Description
Client ID	An ID that identifies the app. It is automatically created when an app is added and cannot be changed.
Client Secret	Confidential information used with the client ID. It is automatically published when an app is added and cannot be changed.
OAuth Scopes	Access permission scope of the app. For more information, see OAuth Scopes.
Token settings	Token action of the app. You can choose the validity period of the access token and the token renewal action.
App access permission	Permission to access the app. You can specify members who can update and delete the app.

■ Authentication with a user account {#user-account-auth-setting}

It is the required information for authentication with a user account.

Field	Description
Redirect URL	When user authentication was successful, an authorization code is sent to the specified redirect URL. An authorization code is issued if the redirect_uri parameter in the request information is identical to the redirect URL of the client app. • It must be an HTTPS URL. • A subdomain must be specified (e.g.: https://sub.domain). • You can add up to 100 URLs.
OIDC Logout Redirection - Redirect URL	You can specify this field only when openid is selected for OAuth Scopes. It is a URL to redirect to after logout, based on the RP Initiated Logout of OIDC. • It must be an HTTPS URL. • A subdomain must be specified (e.g.: https://sub.domain). • You can add up to 100 URLs.

■ Authentication with a service account {#service-account-auth-setting}

It is the required information for authentication with a service account.

Field	Description
Service Account	Virtual administrator account. One service account can be issued for one client app and can be deleted if no longer needed.
Private Key	A private key used with the service account. It can be reissued, and if so, the previous key is no longer valid.