NYU Developer Support logo

Developer Portal

Support

API Token Generation

Requesting access token with the API user credentials (resource owner password credentials grant )

Obtaining an access token by providing the API username and password as an authorization grant requires base64 encoding the strings of the consumer-key:consumer-secret combination.

Prerequisites

  • A valid service account (e.g. nyu123). 
  • A valid consumer key and consumer secret pair.

Invoking the Token API to generate access tokens    

Generate Access Token

  1. Combine the client Id and client secret keys in the format client-id:client-secret and encode the combined string using base64. 
    $ openssl base64 -in <infile> -out <outfile>

    Here’s an example client key and secret combination :wU62DjlyDBnq87GlfwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.

  2. Access the Token API by using a REST client such as the Postman or cURL, with the following parameters.
    • https://auth.nyu.edu/oauth2/token
    • payload (Send as body in HTTP Post) – “grant_type=password&username=<username>&password=<password>&scope=openid”. Replace the <username> and<password> values with appropriate NYU SSO credentials. NOTE : DO NOT SEND AS HTTP QUERY PARAMETERS
    • headers – Authorization: Basic <base64 encoded string> Replace the <base64 encoded string> as appropriate.

A note about scopes

The scope parameter is a space-separated list of OAuth scopes, indicating what type of access you need. It limits access for OAuth tokens. For all API access, scope MUST be set to openid“.

For example, use the following cURL command to access the Token API. It generates two tokens, an access token and a refresh token. You can use the refresh token at the time a token is renewed (see the section below for renewing access token).
#Request token grant_type password:

curl  -k -d “grant_type=password&username=api_service_account&password=api_account_password&scope=openid”
-H “Authorization: Basic c0lKV2kza043bGl5N0FIMmlqeWddfOXVDcsdfdTphd1dRCZDMyOHgfmJrOG1WYlcdfd0UnBFVjhh”
-H “Content-Type: application/x-www-form-urlencoded” “https://auth.nyu.edu/oauth2/token”

Note about OAuth Access Token Expiration
User access tokens have a fixed expiration time, which is set to 60 minutes.

Example Token Response

{
   “scope”: “openid”,
   “token_type”: “Bearer”,
   “expires_in”:3600,
   “refresh_token”: “7edfa156a31be246a6a6ba7bdsfsdfs7”,
   “id_token”:“eyJhbGciOiJSUzI1NiIsIng1. eyJleHAiOjE1MzQ4NzU0OTEsInN1YdzFWTVRD. mbTZizeKLFrmpTYWUmpji96S”,
   “access_token”: “d003b3c61747b4929ba3ec0fasdfsdfdsf”
}

Key
Description
scope A space separated list of scopes you’ve requested.
token_type OAuth token type.
expires_in The number of seconds until this access token expires.
refresh_token A special kind of token that can be used to obtain a renewed access token.
access_token A token that you can use for NYU API calls.
id_token It contains user profile information (like the user’s name, email, etc), represented in the form of claims.

When a user access token expires, the user can try regenerating the token as explained in the Renewing user tokens section below.

Renewing Access Token

After an access token is generated, sometimes you might have to renew the old token due to expiration or security concerns. You can renew an access token using a refresh token, by issuing a REST call to the Token API with the following parameters. 

  • https://auth.nyu.edu/oauth2/token
  • payload – “grant_type=refresh_token&refresh_token=<refresh_token>&scope=<scope1> <scope2> <scope…>”. Replace the <refresh_token> value with the refresh token generated in the previous section.
  • headers – Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace<base64 encoded string> as appropriate.      

For example, the following cURL command can be used to refresh the token.

curl -k -d “grant_type=refresh_token&refresh_token=7edfa156a31be246a6a6ba7bdsfsdfs7”
-H “Authorization: Basic c0lKV2kza043bGl5N0FIMmlqeWddfOXVDcdfsdfphd1dsfDMyOHgfmJrOG1WYlcdfd0UnBFVjhh”
-H “Content-Type: application/x-www-form-urlencoded” “https://auth.nyu.edu/oauth2/token”

Revoking access tokens

After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling Revoke API using a utility like cURL. The Revoke API’s endpoint URL is https://auth.nyu.edu/oauth2/revoke.

Parameters required to invoke this API are as follows:

  • https://auth.nyu.edu/oauth/revoke
  • payload – token=<ACCESS_TOKEN_TO_BE_REVOKED>&token_type_hint=access_token
  • header – Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace<base64 encoded string> as appropriate.

For example, the following cURL command can be used to revoke the access token.
#Revoking token

curl -k -d “token=7edfa156a31be246a6a6ba7bdsfsdfs7&token_type_hint=access_token”
-H “Authorization: Basic c0lKV2kza043bGl5N0FIMmlqeWddfOXVDcdfsdfphd1dsfDMyOHgfmJrOG1WYlcdfd0UnBFVjhh” 
-H “Content-Type: application/x-www-form-urlencoded” “https://auth.nyu.edu/oauth2/revoke”

Invoking API using access token

curl -k -H “Authorization: Bearer d003b3c61747b4929ba3ec0fasdfsdfdsf” “https://esb.nyu.edu/identity/api/[netid]”

URL:

Production

  • OAuth 2.0 Token Endpoint: https://auth.nyu.edu/oauth2/token
  • OAuth 2.0 Token Revocation Endpoint:https://auth.nyu.edu/oauth/revoke

Mulesoft TLS v1.0 Deprecation

Mulesoft is deprecating the use of TLS v1.0 protocol for secure connections to the Anypoint Platform, please refer to important dates below 

Important Dates – TLS v1.0 access will no longer work, and all secure connections will have to use TLSv1.1 or TLS v1.2 on:

  • May 31, 2018 (EU)
  • June 2, 2018 (US & other regions)

There will be no extension to these dates.

Mulesoft is asking to conduct the following actions before April 30, 2018:

What is the issue?

For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol. Fifteen years ago, SSL v3.0 was superseded by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes.   Related links for more information:

https://www.kb.cert.org/vuls/id/864643

https://www.howsmyssl.com/s/about.html

https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack

How serious is this issue? 

It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.  SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control.

What is the actual risk?

SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE-2014-3566) that may allow attackers to extract data from secure connections. More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it’s possible to decrypt an encrypted message secured by SSL v3.0. The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol.
 

How are MuleSoft’s products impacted? 

Currently the default SSL/TLS mechanism for MuleSoft has been TLS v1.0 for all products.  MuleSoft will provide a matrix that will include a multifaceted approach to deprecating TLS v1.0, and providing TLS v1.2 as the default.

Additional details can be found at TLS v1.0 Deprecation Support Article.

API Response Codes

API Response Codes

HTTP status codes are grouped into five numeric categories:

CODE

TYPE
1xx informational
2xx successful
3xx redirection
4xx client error
5xx server error

CODE

HTTP METHOD

RESPONSE BODY

DESCRIPTION
200 OK GET, PUT, DELETE Resource There are no errors, the request has been successful
201 Created POST URI of the resource that has been created The request has been fulfilled and resulted in a new resource being created
202 Accepted POST, PUT, DELETE An URI of a resource which represents the processing status The request has been accepted for processing, but the processing has not been completed
204 No Content GET, PUT, DELETE N/A There are no errors, the request has been processed and no contact is expected in the body (by design)
400 Bad request GET, POST, PUT, DELETE Error message The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications
401 Unauthorized GET, POST, PUT, DELETE Error message The request requires user authentication
404 Not Found GET, POST, PUT, DELETE Error message The server has not found anything matching the request URI
405 Method Not Allowed GET, POST, PUT, DELETE Error message The method specified in the request is not allowed for the resource identified by the URI
406 Not Acceptable GET, POST, PUT, DELETE Error message The request contains parameters that are not acceptable
415 Unsupported Media Type GET, POST, PUT Error Message The server is refusing to service the request because the entity of the request is in a format not supported by the requested resource for the requested method
500 Internal Server Error GET, POST, PUT, DELETE Error message The server encountered an unexpected condition which prevented it from fulfilling the request

Access Issues

Invalid Credentials

  1. Invalid Client Id and secret – This could occur when the user/application has access but either do not have or have an incorrect Client-id and Client Secret key

How to Obtain a Client-Id and Client Secret ?  –    Process to get Client-Id and Secret

If not able to resolve with new client Id and client secret, please route the incident to api-support@nyu.edu.

2. Missing or invalid tokens – Authorized but having invalid/expired tokens.

Get new token by following the curl commands in this link Token Generation

Please route the incident to api-support@nyu.edu  if issue is not resolved with a new token.

Data Issues

Issue Scenario Resolution
Resource not found/Bad Request Incorrect or missing or due to data field format issues Check if all correct parameters are passed based on API’s specification
Empty array with 200 Code No record found for the search criteria  
No data returned Database error Potential issue with database and ticket needs to be assigned to database team
Incorrect data returned Data Issue Please route it to API team so that they can assign it to appropriate teams