-
Notifications
You must be signed in to change notification settings - Fork 7
Getting an OAuth Token
An OAuth token is required for any REST API method (except when you are using an anonymous access). A token can be obtained by the POST request on the address:
http://localhost:8080/app/rest/v2/oauth/token
An access to this endpoint is protected with a basic authentication. REST API client identifier and password is used for basic authentication. Please note that these are not an application user login and password. REST API client id and password are defined in the application properties cuba.rest.client.id and cuba.rest.client.secret (the default values are client and secret). You must pass the client id and secret, separated by a single colon (":") character, within a base64 encoded string in the Authorization header.
The request type must be application/x-www-form-urlencoded, the encoding is UTF-8.
The request must contain the following parameters:
-
grant_type - password. -
username- application user login. -
password- application user password.
POST /oauth/token
Authorization: Basic Y2xpZW50OnNlY3JldA==
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=smith&password=qwerty123
You can also use cURL:
curl -H "Content-type: application/x-www-form-urlencoded" -H "Authorization: Basic Y2xpZW50OnNlY3JldA==" -d "grant_type=password&username=admin&password=admin" http://localhost:8080/app/rest/v2/oauth/token
Method returns a JSON object:
{
"access_token": "29bc6b45-83cd-4050-8c7a-2a8a60adf251",
"token_type": "bearer",
"refresh_token": "e765446f-d49e-4634-a6d3-2d0583a0e7ea",
"expires_in": 43198,
"scope": "rest-api"
}An access token value is in the access_token property.
In order to use the access token, put it in the Authorization header with the Bearer type, for example:
Authorization: Bearer 29bc6b45-83cd-4050-8c7a-2a8a60adf251
The refresh_token property contains a refresh token value. A refresh token cannot be used for accessing the protected resources, but it has a longer lifetime than an access token and it can be used to obtain new access token when the current one is expired.
The request for getting new access token using the refresh token must contain the following parameters:
-
grant_type - refresh_token. -
refresh_token- a refresh token value.
POST /oauth/token
Authorization: Basic Y2xpZW50OnNlY3JldA==
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=e765446f-d49e-4634-a6d3-2d0583a0e7ea
See also the following application properties related to tokens:
- Home
- Predefined JPQL Queries Configuration
- Services Configuration
- Data Model Versioning
- CORS Settings
- Anonymous Access
- Other REST API Settings
- Creating Custom OAuth2 Protected Controllers
- Security Constraints for Collection Attributes
- Persistent Token Store
- Project-specific Swagger Documentation
- Application Properties
-
Using REST API
- Getting an OAuth Token
- REST API Authentication with LDAP
- Custom Authentication
- Getting an Entity Instances List
- New Entity Instance Creation
- Existing Entity Instance Update
- Executing a JPQL Query (GET)
- Executing a JPQL Query (POST)
- Service Method Invocation (GET)
- Service Method Invocation (POST)
- Files Downloading
- Files Uploading
- JavaScript Usage Example
- Getting Localized Messages
- Data Model Versioning Example
- Using Entities Search Filter