OAuth 2.0 support - How to use Client ID / Client Secret with @bandwidth/numbers?

[ansarisufiyan777]

We received an email regarding the OAuth 2.0 migration (from API Users to API Credentials), and we're trying to implement this before the deprecation deadline.

The documentation here states:

"Newer versions of the Bandwidth SDKs handle the OAuth 2.0 Client Credentials flow for you. When initializing the SDK, provide your Client ID and Client Secret, and the SDK will manage token retrieval and refreshing automatically."

However, I cannot find any documentation or examples showing how to actually do this with @bandwidth/numbers. The current SDK (v1.10.0) only exposes userName and password for Basic Auth:

// Current - Basic Auth (working)
bandwidth.Client.globalOptions.userName = 'api_user';
bandwidth.Client.globalOptions.password = 'api_pass';

// Needed - OAuth 2.0 (how?)
bandwidth.Client.globalOptions.clientId = 'CLI-xxx';
bandwidth.Client.globalOptions.clientSecret = 'xxx';

Questions:

1. Does this SDK support OAuth 2.0?
2. If yes, how do we pass Client ID and Client Secret?
3. If not, is there a timeline for support?

We have our OAuth credentials ready and the token endpoint works (https://api.bandwidth.com/api/v1/oauth2/token), but we don't know how to integrate it with the SDK.

Any guidance would be appreciated!

[ckoegel]

Hey! @ansarisufiyan777 Hopefully I can answer your questions.

1. No, as of right now this SDK does not support OAuth 2.
2. Ideally, once it does, you should be able to do something just like what you have in the snippet above, supply your client ID and secret instead of username/password and everything should just work.
3. I've been updating our other non-numbers SDKs in the past couple weeks to support OAuth, and all of those are set to be released later today. Up next are all of the numbers SDKs, and since you've brought this up, we can prioritize node-numbers to have it ready ASAP. I'm unsure of the exact timeline but it should be by the end of December.

I'll reach out on this issue to let you know when we have some progress, let me know if you have any other questions!

[ansarisufiyan777]

Thanks @ckoegel for the quick response! I will keep a watch on the issue for the update. Looking forward to the release by end of December. 🙏

[ckoegel]

I have a PR open for this change, it will be breaking due to my complete redo of the Client class (it was terrible before 💀). The only breaking changes are:

• You can no longer initialize a client by using just Client() (you can still do new Client())
• The option to create a client with only an account id by passing it into the options object is gone. i.e new Client({accountId: "accountId"}); does not work, but new Client("accountId"); does.

OAuth should be supported in both the Client constructor and globalOptions, and OAuth takes priority over basic auth if provided (example below). The clientId and clientSecret will create a new token when the client is first initialized, and the token will refresh in the background every 55 minutes. In addition to that, the client will try to create a new token if any request 401s. You can also provide a bearer token to the SDK directly by passing it into the options object or manually setting it on a client instance. (also shown below)

const client = new Client("accountId", null, null, "clientId", "clientSecret"); // client will use OAuth
const client = new Client("accountId", "user", "pass", "clientId", "clientSecret"); // client will use OAuth

Client.globalOptions.clientId = "clientId";
Client.globalOptions.clientSecret = "clientSecret";
const client = new Client("accountId", "user", "pass"); // client will use OAuth

const client = new Client("accountId", null, null, null, null, {tempAccessToken: "abcd1234"}); // client will use token

const client = new Client("accountId");
client.tempAccessToken = "abcd1234"; // client will use token

I'm looking to release this on Tuesday, December 16th, let me know what you think!

[ansarisufiyan777]

Thanks for the update @ckoegel ! Just a few confirmations before the release:

1. Token management is fully automatic? We just pass clientId and clientSecret via globalOptions, and the SDK handles token generation, refresh (every 55 min), and retry on 401 - correct?

2. No code changes needed for API calls? Methods like Order.createAsync(), AvailableNumbers.listAsync(), etc. continue to work the same way, just with OAuth under the hood?

3. Backwards compatible? If we keep both userName/password AND clientId/clientSecret during transition, OAuth takes priority and Basic Auth is ignored?

Looking forward to the release on Today 🙏