EN | ES
Onesait Platform is ready to work with OAuth2 authentication. Following we'll see the OAuth2 Token management flow.
1. OAuth2 Realm configuration parameters
When creating or Updating a Realm, there are two parameters to be configured associated to the OAuth Tokens:
- KEY (Secret): key that will be used for clients's authentication..
- TOKEN VALIDITY TIME (S): configurable duration (in seconds) in which the generated token will be valid.
They are non-obligatory attributes. In case of not informing them, they will take default values (onesaitplatform and 43200 (12 hours)).
2. Token Generation
There is an endpoint that allows OAuth2 token generation.
The URL is like this: https://lab.onesaitplatform.com/oauth-server/oauth/token
It's a POST request, and it must include:
- Headers:
- Authorization: (client:secret b64)
- Content-Type: application/x-www-form-urlencoded
- Body:
- grant_type: password (User/Password request)
- username: user's Id
- password: user's password
- clientId: client's Id for Token use
- scope: Token scope
Using Postman to send this request, it will be something like this:
The response will be like this:
To Highlight:
- access_token: Access token
- refresh_token: Refresh Token (one use)
- expires_in: Remaining validity time (seconds)
- authorities: Realms' roles asigned to the user
3. Chek Token
Service that verifies the validity of a token. The endpoint will be like this: https://lab.onesaitplatform.com/oauth-server/openplatform-oauth/check_token
The POST request must include:
- Headers:
- Authorization: (client:secret b64)
- Parameter:
- token: token to validate
Using postman:
If the token is valid, a response will be obtained in the form:
To Highlight:
- exp: Expiration date
- client_id: client for which the token was generated
- authorities: Realm's Roles to which the token's user belongs
4. Refresh Token
Service that regenerates the token in order to obtain another one. The endpoint is like this: https://lab.onesaitplatform.com/oauth-server/oauth/token
(the same as for getting a new token, changes the grant-type).
The POST request must include:
- Headers:
- Authorization: (client:secret b64)
- Content-Type: application/x-www-form-urlencoded
- Body:
- grant_type: refresh_token (for token refresh)
- refresh_token: refresh token obtained when generating the token)
Using Postman:
The result is the same as for a get token request:
The refresh token is one-use token. After regenerating the token, a new refresh token will be provided.
5. Revoke Token
As an addional service, a revoke token service has been included. It allows to disable (revoke) an existing access token associated to an user.
The endpoint is like this: https://lab.onesaitplatform.com/oauth-server/openplatform-oauth/revoke_token
The POST request must include:
Headers:
- Authorization: (cliente:secret en b64)
- Content-Type: application/x-www-form-urlencoded
Query Param:
- token: (token to revoke)
In Postman:
The result will indicate that the token is not longer valid:
6. User info endpoints
An endpoint to retrieve user claims. The url is like this: https://lab.onesaitplatform.com/oauth-server/user
The POST request must include:
Headers:
- Authorization: Bearer {jwt}
In postman: