Listing events on my website without having my users logged into Blackbaud

Clodagh Boyle
Clodagh Boyle
Seventh Anniversary
in Blackbaud Raiser's Edge NXT® APIs

Hi! I'm trying to list the events managed from my Blackbaud account on my website, but the endpoint to do so requires me to use two different types of authorization, OAuth authorization being one of them. The problem is I don't want to require my users to have blackbaud accounts, so I could not ask for their access token. The way I see it the only possibility I have is to store an access token from my account on my server and use that to make the requests to the sky API when ever my users go into my website. I would have to implement some logic to refresh the token automatically every time it gets expired. I understand this is probably not the intended way of using the sky api services but I don't see any other way of achieving what I want.

Is this correct? Is there any other way I can implement this? Is there any other product or service I can use from blackbaud to resolve this issue?

Thank you in advance for your support.

Comments

  • Chris Rodgers
    Chris Rodgers Blackbaud Employee
    Ninth Anniversary Kudos 3 Name Dropper Participant

    Hi Clodagh,

    You're right that this is isn't typical SKY API usage, but we do occasionally see integrations that need to achieve something like this--where the SKY Application is used to provide information to an audience who doesn't have permission to a Blackbaud environment (and shouldn't) and may not have a Blackbaud account at all. (University Alumni pages come to mind)

    The approach you're describing here is pretty on-point for how these integrations work. Your SKY Application will need to be authorized by a Blackbaud account who has access to this Event data. This account doesn't necessarily need to be your own. Depending on your account's level of access, you may want to create a separate “service account" with a minimum set of permissions strictly for this purpose (in this case, that might mean that the account only has read-only access to Event data).

    Depending on the sensitivity of the data you're showing, your website will need to control whether the user of the site should be able to see that Event data. But ultimately, the SKY API requests will be made on behalf of that service account (or yours if you choose). Like you said, your application will need to perform its refresh token exchanges in order to maintain a valid access token. Because these tokens aren't associated with the user of the web page, SKY API requests should be made server-side to ensure the user can't sniff out the access tokens client-side.

    I know this was mostly confirming your suspicions, but I hope it helped a bit!

Categories