Skip to main content
Skip table of contents

Using Authorization Code

In the Authorization Code grant type, the user can authenticate with the resource server and give the app consent to access protected resources without exposing username/passwords to the client app.

The authorization request is sent to the authorization endpoint to obtain an authorization code.

Step 1: Configure the OAuth Authorization End Point policy, provide the following parameter values in the Postman and click the Send button to get the authorization code:

  • Method: GET.
  • URL: Project proxy URL.
  • Query Parameters:
    • response_type: Must be set to code.
    • client_id: The client identifier as assigned by the authorization server, when the client was registered (displayed as "Consumer Key" for the corresponding product subscribed by the client).
    • redirect_uri: The redirect URI registered by the client.
    • scope: The possible scope or list of permissions that are requested. This parameter is OPTIONAL. Example: READ,WRITE etc. This list must be a subset of the scopes provided in the client subscription.

  • URI: To get the oauth_code 

    Sample request

    CODE
    curl -X GET 'http://192.168.2.134:1860/oep/1.0/?client_id=DLdZUFebTORPSCvOEskbqnIm&redirect_uri=http://localhost:1981&response_type=code' -H 'Cache-Control: no-cache' -H 'Content-Type: application/x-www-form-urlencoded'
  • Response: Response to the URI above:

    Sample

    http://localhost:1981/?code=683e6437e46164f74a179e30ffb98b89

Step 2: Configure the OAuth Token End Point policy, provide the following parameter values in the Postman and click the Send button to get the access token:

  • Method: POST.
  • URL: Project proxy URL.
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Query Parameters:
      • client_id: The client identifier as assigned by the authorization server, when the client was registered (displayed as "Consumer Key" for the corresponding product subscribed by the client).
      • client_secret: The client's password with which it got registered (displayed as "customer-secret" for the corresponding product subscribed by the client).
      • grant_type: Must be set to authorization_code.
      • code: The authorization code received from the authorization server at the end of Step 1.
      • redirect_uri: The redirect URI registered by the client. This value must be the same as that is assigned to the query parameter to gain an authorization code from the authorization server.

      • scope: The possible scope or list of permissions that are requested. This parameter is OPTIONAL. Example: READ,WRITE etc. This list must be a subset of the scopes provided both in the Step 1 for obtaining code and in client subscription. Refer to the Obtaining Access Token with Scope section to know how to use this option.

  • URI: To get the oauth access-token

Sample request

CODE
curl -X POST  'http://192.168.2.134:1860/otep/1.0/?client_id=NIalMNYstGXiwTLDiZmBOmdX&redirect_uri=http://www.fiorano.com&grant_type=authorization_code&client_secret=MbLAdemKrlYhQWk--vDZWuijdOZlIVFxUGul&code=16ffdaa8c7ca62b132ae06f41c4fb86f' -H 'Content-Type: application/x-www-form-urlencoded'  -H 'cache-control: no-cache'

Sample URL generated by Postman using the above-mentioned parameter values

http://192.168.2.231:2160/tokenEnd/1.0?redirect_uri=http://localhost:1981&code=683e6437e46164f74a179e30ffb98b89&client_id=Qvf-wSSLmGfjULQrbMCmRcab&client_secret=bxgxUUifvUYFBHnRqMFYtOQqOgkcOkjgTkMH&grant_type=authorization_code

  • Response: Response to the URI consists of an access token and the time for which the token is valid and a refresh token. When a valid request is sent, the response will be as below.

After receiving the access token, refer the Accessing protected resources using Access Token section to see how to access protected resources.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.