Requesting access token with the API user credentials (resource owner password credentials grant )
Obtaining an access token by providing the API username and password as an authorization grant requires base64 encoding the strings of the consumer-key:consumer-secret combination.
Prerequisites
- A valid service account (e.g. nyu123).
- A valid consumer key and consumer secret pair.
Invoking the Token API to generate access tokens
Generate Access Token
- Combine the client Id and client secret keys in the format client-id:client-secret and encode the combined string using base64.
$ openssl base64 -in <infile> -out <outfile>
Here’s an example client key and secret combination :wU62DjlyDBnq87GlfwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
- Access the Token API by using a REST client such as the Postman or cURL, with the following parameters.
- https://auth.nyu.edu/oauth2/token
- payload (Send as body in HTTP Post) – “grant_type=password&username=<username>&password=<password>&scope=openid”. Replace the <username> and<password> values with appropriate NYU SSO credentials. NOTE : DO NOT SEND AS HTTP QUERY PARAMETERS
- headers – Authorization: Basic <base64 encoded string> Replace the <base64 encoded string> as appropriate.
A note about scopes
The scope parameter is a space-separated list of OAuth scopes, indicating what type of access you need. It limits access for OAuth tokens. For all API access, scope MUST be set to “openid“.
For example, use the following cURL command to access the Token API. It generates two tokens, an access token and a refresh token. You can use the refresh token at the time a token is renewed (see the section below for renewing access token).
#Request token grant_type password:
curl -k -d “grant_type=password&username=api_service_account&password=api_account_password&scope=openid”
-H “Authorization: Basic c0lKV2kza043bGl5N0FIMmlqeWddfOXVDcsdfdTphd1dRCZDMyOHgfmJrOG1WYlcdfd0UnBFVjhh”
-H “Content-Type: application/x-www-form-urlencoded” “https://auth.nyu.edu/oauth2/token”
Note about OAuth Access Token Expiration
User access tokens have a fixed expiration time, which is set to 60 minutes.
Example Token Response
{
“scope”: “openid”,
“token_type”: “Bearer”,
“expires_in”:3600,
“refresh_token”: “7edfa156a31be246a6a6ba7bdsfsdfs7”,
“id_token”:“eyJhbGciOiJSUzI1NiIsIng1. eyJleHAiOjE1MzQ4NzU0OTEsInN1YdzFWTVRD. mbTZizeKLFrmpTYWUmpji96S”,
“access_token”: “d003b3c61747b4929ba3ec0fasdfsdfdsf”
}
Key
|
Description
|
---|---|
scope | A space separated list of scopes you’ve requested. |
token_type | OAuth token type. |
expires_in | The number of seconds until this access token expires. |
refresh_token | A special kind of token that can be used to obtain a renewed access token. |
access_token | A token that you can use for NYU API calls. |
id_token | It contains user profile information (like the user’s name, email, etc), represented in the form of claims. |
When a user access token expires, the user can try regenerating the token as explained in the Renewing user tokens section below.
Renewing Access Token
After an access token is generated, sometimes you might have to renew the old token due to expiration or security concerns. You can renew an access token using a refresh token, by issuing a REST call to the Token API with the following parameters.
- https://auth.nyu.edu/oauth2/token
- payload – “grant_type=refresh_token&refresh_token=<refresh_token>&scope=<scope1> <scope2> <scope…>”. Replace the <refresh_token> value with the refresh token generated in the previous section.
- headers – Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace<base64 encoded string> as appropriate.
For example, the following cURL command can be used to refresh the token.
curl -k -d “grant_type=refresh_token&refresh_token=7edfa156a31be246a6a6ba7bdsfsdfs7”
-H “Authorization: Basic c0lKV2kza043bGl5N0FIMmlqeWddfOXVDcdfsdfphd1dsfDMyOHgfmJrOG1WYlcdfd0UnBFVjhh”
-H “Content-Type: application/x-www-form-urlencoded” “https://auth.nyu.edu/oauth2/token”
Revoking access tokens
After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling Revoke API using a utility like cURL. The Revoke API’s endpoint URL is https://auth.nyu.edu/oauth2/revoke.
Parameters required to invoke this API are as follows:
- https://auth.nyu.edu/oauth/revoke
- payload – token=<ACCESS_TOKEN_TO_BE_REVOKED>&token_type_hint=access_token
- header – Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace<base64 encoded string> as appropriate.
For example, the following cURL command can be used to revoke the access token.
#Revoking token
curl -k -d “token=7edfa156a31be246a6a6ba7bdsfsdfs7&token_type_hint=access_token”
-H “Authorization: Basic c0lKV2kza043bGl5N0FIMmlqeWddfOXVDcdfsdfphd1dsfDMyOHgfmJrOG1WYlcdfd0UnBFVjhh”
-H “Content-Type: application/x-www-form-urlencoded” “https://auth.nyu.edu/oauth2/revoke”
Invoking API using access token
curl -k -H “Authorization: Bearer d003b3c61747b4929ba3ec0fasdfsdfdsf” “https://esb.nyu.edu/identity/api/[netid]”
URL:
Production
- OAuth 2.0 Token Endpoint: https://auth.nyu.edu/oauth2/token
- OAuth 2.0 Token Revocation Endpoint:https://auth.nyu.edu/oauth/revoke