In order to communicate to a web service that has OAuth authentication, one may use the following procedures. Note that this is only for server to server communication on a service account. This is not for making calls on behalf of a client. So scopes and claims are typically not relevant in this context.
Authentication happens in two steps:
- Getting a token
- Making calls with that token
Before any communication with a server may take place, a token must be retrieved. This is done by calling the
/api/v1/token
endpoint (or whatever the token endpoint is). For service account credentials, this is done
by posting a structure like the following:
POST /api/v1/token HTTP/1.1
Accept: application/json
Accept-Charset: UTF-8
Content-Type: application/x-www-form-urlencoded
Host: localhost:4500
grant_type=client_credentials&client_id=<your_client_id_here>&client_secret=<your_client_secret_here>
This will, if successful, return with a response code of 200
and an object containing the token. Note: The
token will eventually expire and a new token will need to be generated.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token":"C0ibyjbbGL2iagW8mZyBDg7HSrb4......",
"token_type":"bearer",
"expires_in":1209599,
".issued":"Wed, 14 Sep 2016 07:19:14 GMT",
".expires":"Wed, 28 Sep 2016 07:19:14 GMT"
}
Now one may make any call to the API by including the token in the request Authorize
header like so:
POST /api/v1/auth/register HTTP/1.1
Authorization: Bearer C0ibyjbbGL2iagW8mZyBD.....
Accept: application/json
Accept-Charset: UTF-8
Content-Type: application/json
{...}
And if it works you'll get a response.