...
Method | Description | Parameter | Example |
|---|
| Authorization Code | An end-user authorizes a specific client for a set of resources. The application can then request the corresponding access token provided by the end-user. | | Column |
|---|
| | scope | list of strings | | code | grant's unlock code | | client_id | client's ID | | redirect_uri | client's URL* |
|
| |
| Client Credentials | Given a client is owner of a set of resources, it can request a corresponding access token itself. | | scope | list of strings | | client_id | client's ID | | client_secret | client's authentication code |
| Request:
http://workflowmgr:8003/oauth/token
?grant_type=client_credentials
&scope=read
&client_id=1234
&client_secret=abcd Response:
{
"access_token": "wCPvIbuZoVp589eIczfmkNI1a8i5Ym",
"token_type": "Bearer",
"version": "1.0.0",
"expires_in": 86400,
"scope": "read"
} |
| Password | Clients are grouped into public and confidential clients. Hereby, a 'confidential' clients is allowed to request an access token in the name of an end-user. | | scope | list of strings | | client_id | client's ID | | username | end-user's name | | password | end-user's password |
| Request:
http://workflowmgr:8003/oauth/token
?grant_type=password
&scope=read
&client_id=1234
&username=TestUser1
&password=1234 Response:
{
"token_type": "Bearer",
"version": "1.0.0",
"access_token": "zOJ5avH29S1gALoT2ogcjdpelR2HSF",
"scope": "read",
"expires_in": 86400,
"refresh_token": "DGdSeoxPJDRFH4ZXzQwCJ6xZDX6F26"
} |
| Refresh Token | Access tokens expire after a certain period. To expand a valid access token a the client can request a new access token one using a refresh token obtained with the old onecorresponding refresh tokent. | | scope | list of strings | | client_id | client's ID | | refresh_token | valid refresh token |
| Request:
http://workflowmgr:8003/oauth/token
?grant_type=refresh_token
&scope=read
&client_id=1234
&refresh_token=DGdSeoxPJDRFH4ZXzQwCJ6xZDX6F26 Response:
{
"token_type": "Bearer",
"version": "1.0.0",
"access_token": "OWLwWDpL2QDWKAHN8qWC7eBwqjKjs9",
"scope": "read",
"expires_in": 86400,
"refresh_token": "IAFzNvlB7bAcU3TUZpdJxxkLEf8Kbv"
} |
...
In some scenarios, e.g. with the grant type "Authorization Code", a client probably would like to verify its received access codetoken. As the RFC6749 for oAuth2 does not define such a scenario we adapted a common implementation, e.g. used by Google and Amazon, which provides a separate URL:
...