How to use OAuth2 Tokens in Platform?

EN | ES

Onesait Platform is ready to work with OAuth2 authentication. Following we'll see the OAuth2 Token management flow.

1. OAuth2 Realm configuration parameters

When creating or Updating a Realm, there are two parameters to be configured associated to the OAuth Tokens:

  • KEY (Secret): key that will be used for clients's authentication..
  • TOKEN VALIDITY TIME (S): configurable duration (in seconds) in which the generated token will be valid.

They are non-obligatory attributes. In case of not informing them, they will take default values ​​(onesaitplatform and 43200 (12 hours)).

2. Token Generation

There is an endpoint that allows OAuth2 token generation.

The URL is like this: https://lab.onesaitplatform.com/oauth-server/oauth/token

It's a POST request, and it must include:

  • Headers:
    • Authorization: (client:secret b64)
    • Content-Type: application/x-www-form-urlencoded
  • Body:
    • grant_type: password (User/Password request)
    • username: user's Id
    • password: user's password
    • clientId: client's Id for Token use
    • scope: Token scope 

Using Postman to send this request, it will be something like this:



The response will be like this:


To Highlight:

  • access_token: Access token
  • refresh_token: Refresh Token (one use)
  • expires_in: Remaining validity time (seconds)
  • authorities: Realms' roles asigned to the user

3. Chek Token

Service that verifies the validity of a token. The endpoint will be like this: https://lab.onesaitplatform.com/oauth-server/openplatform-oauth/check_token

The POST request must include:

  • Headers:
    • Authorization: (client:secret b64)
  • Parameter:
    • token: token to validate

Using postman:

If the token is valid, a response will be obtained in the form:

To Highlight:

  • exp: Expiration date
  • client_id: client for which the token was generated
  • authorities: Realm's Roles to which the token's user belongs

4. Refresh Token

Service that regenerates the token in order to obtain another one. The endpoint is like this: https://lab.onesaitplatform.com/oauth-server/oauth/token

(the same as for getting a new token, changes the grant-type).

The POST request must include:

  • Headers:
    • Authorization: (client:secret b64)
    • Content-Type: application/x-www-form-urlencoded
  • Body:
    • grant_type: refresh_token (for token refresh)
    • refresh_token: refresh token obtained when generating the token)

Using Postman:

The result is the same as for a get token request:

The refresh token is one-use token. After regenerating the token, a new refresh token will be provided.

5. Revoke Token

As an addional service, a revoke token service has been included. It allows to disable (revoke) an existing access token associated to an user.

The endpoint is like this: https://lab.onesaitplatform.com/oauth-server/openplatform-oauth/revoke_token

The POST request must include:

Headers:

  • Authorization: (cliente:secret en b64)
  • Content-Type: application/x-www-form-urlencoded

Query Param:

  • token: (token to revoke)

In Postman:

The result will indicate that the token is not longer valid:

6. User info endpoints

An endpoint to retrieve user claims. The url is like this: https://lab.onesaitplatform.com/oauth-server/user

The POST request must include:

Headers:

  • Authorization: Bearer {jwt}

In postman:




(c) 2020 Indra Soluciones Tecnologías de la Información, S.L.U.