Using Authorization Code
In the Authorization Code grant type, the user can authenticate with the resource server and give the app consent to access protected resources without exposing username/passwords to the client app.
The authorization request is sent to the authorization endpoint to obtain an authorization code.
Step 1: Configure the OAuth Authorization End Point policy, provide the following parameter values in the Postman and click the Send button to get the authorization code:
- Method: GET.
- URL: Project proxy URL.
- Query Parameters:
- response_type: Must be set to code.
- client_id: The client identifier as assigned by the authorization server, when the client was registered (displayed as "Consumer Key" for the corresponding product subscribed by the client).
- redirect_uri: The redirect URI registered by the client.
URI: To get the oauth_code
Sample
http://localhost:2160/http/1.0?response_type=code&redirect_uri=http://localhost:1981&client_id=Qvf-wSSLmGfjULQrbMCmRcab
Response: Response to the URI above:
Sample
http://localhost:1981/?code=683e6437e46164f74a179e30ffb98b89
Step 2: Configure the OAuth Token End Point policy, provide the following parameter values in the Postman and click the Send button to get the access token:
- Method: POST.
- URL: Project proxy URL.
- Query Parameters:
- client_id: The client identifier as assigned by the authorization server, when the client was registered (displayed as "Consumer Key" for the corresponding product subscribed by the client).
- client_secret: The client's password with which it got registered (displayed as "customer-secret" for the corresponding product subscribed by the client).
- grant_type: Must be set to authorization_code.
- code: The authorization code received from the authorization server at the end of Step 1.
redirect_uri: The redirect URI registered by the client. This value must be the same as that is assigned to the query parameter to gain an authorization code from the authorization server.
scope: The possible scope of the request. This parameter is OPTIONAL; refer to the Obtaining Access Token with Scope section to know about Scope.
URI: To get the oauth access-token
Sample request
CODEcurl -X POST http://192.168.2.231:2160/tokenEnd/1.0 -H 'accept: application/json' -H 'cache-control: no-cache' -H 'client_id: Qvf-wSSLmGfjULQrbMCmRcab' -H 'client_secret: FgbhZtuILPDBrHvBujaMQwmyrRieTisdnh' -H 'content-type: application/x-www-form-urlencoded' -H 'grant_type: authorization_code' -d 'code=683e6437e46164f74a179e30ffb98b89&redirect_uri=http://localhost:1981'
Sample URL generated by Postman using the above-mentioned parameter values
http://192.168.2.231:2160/tokenEnd/1.0?redirect_uri=http://localhost:1981&code=683e6437e46164f74a179e30ffb98b89&client_id=Qvf-wSSLmGfjULQrbMCmRcab&client_secret=bxgxUUifvUYFBHnRqMFYtOQqOgkcOkjgTkMH&grant_type=authorization_code
Response: Response to the URI consists of an access token and the time for which the token is valid and a refresh token. When a valid request is sent, the response will be as below.
After receiving the access token, refer the Accessing protected resources using Access Token section to see how to access protected resources.