Application Access Details - Drive and Photo Service - Alibaba Cloud Documentation Center

Note

This document describes how to create an application.

Application

An application, referred to as a client in the OAuth2.0 system, can be understood as a tool for operating resources.

According to the application form, there are:

Web server-side application (with server-side)
Web browser-side application (pure frontend)
Desktop and mobile
JWT application

Comparison of application forms

Application Type	Description	Requires user authorization (supports OAuth2.0 authorization)	Scenarios
Web Server-side Application	Web page + backend service	Yes	Besides calling PDS API, other business logic requires backend service support
Web Browser Application	Web page	Yes	Only need to call PDS API to meet the requirements
Native Application	Desktop and mobile	Yes	Desktop client, mobile client, etc.
JWT Application	Server-side	No	When your application calls PDS, user intervention is not required, such as backend services, background processes, command line, or other custom logon methods. The request represents the application, not the end user.

PDS applications are divided into official applications and self-built applications.

Official application: Applications provided by the official, all domains are authorized to access their resources and can be used directly.
Self-built application: Users can create applications suitable for different scenarios according to their needs.

About OAuth2.0

PDS API uses the OAuth2.0 protocol for authentication and authorization, supporting general OAuth2.0 schemes such as web service applications and client applications.

First, configure the logon method in the PDS console. For more information, see the referenced document. Then, create the corresponding application to obtain credentials (such as AppId and AppSecret). Your client application requests the PDS authorization server to obtain an access token, extracts the token from the response, and then sends the token to the PDS API you want to access. If necessary, refresh the access token.

Comparison of OAuth2.0 Flow Differences for Different Types of Applications

Application Type	Application Description	responseType value when requesting authorization	Requires app_secret	Can refresh token
Web Server-side Application	Web application with backend service.	code	Required. `Secret` is placed in the server-side configuration	Yes
Native Application	Desktop client, mobile application.	code	Not required. `Secret` is insecure on the client side	Can refresh `token` through the server-side
Web Browser Application	Pure JavaScript frontend application, single-page application (SPA), widget, etc.	access_token	Not required. `Secret` is insecure on the client side	Cannot refresh `token`

When creating an application, choose the application type according to the specific scenario.

For different types of applications, the OAuth2.0 access protocol varies. For specific operations, see:

References

If you want to use Alibaba Cloud AccessKey for signature authentication, implement it by calling the AccessKey interface. For specific operations, see AccessKey Interface Access.