Authentication and security
The API's authentication is built on the OAuth 2.0 standard. Each API request must include an HTTP Authorization header containing an OAuth 2.0 access token.
Requests against the API must be authenticated and made over HTTPS. If these requirements are not met, the request fails.
Successful token requests generate an access token and a refresh token. The access token is usable from the moment it is generated until the number of seconds defined by expires_in
elapses. The refresh token can be used to generate new access tokens until the session expires. Refresh tokens expire after 7 days.
Prerequisites
The following are required to generate tokens:
Headers
Content-Type : application/x-www-form-urlencoded
Log in and generate tokens
To log in to the system and obtain an access token and a refresh token, POST a call to the authentication URL:
https://<<hostName>>/api/authentication/access_token
Include the following in the request body, where <<username>>
and <<password>>
are the username and password of the employee you wish to log in:
username : <<username>>
password : <<password>>
client_id : <<client ID>>
client_secret : <<client password>>
grant_type : password
auth_chain : OAuthLdapService
Include the following HTTP headers:
Content-Type : application/x-www-form-urlencoded
A successful call returns:
access_token
: A string representing the access token.refresh_token
: A string used to obtain a new access token when the current access token becomes invalid or expires. Refresh tokens are optional, are issued at the discretion of the server, and expire after 7 days.scope
: The server uses this response parameter to inform the client of the scope of the issuedaccess_token
.token_type
: Defines the type of token profile issued by the server, such asBearer
ormac
. This enables the client to successfully utilize theaccess token
.expires_in
: Lifetime in seconds of theaccess_token
.
Even though your tokens are time-limited, they are very powerful. Do not share your access_token
or refresh_token
. Protect them as you would a username and password combination.
Refresh a token
To use a refresh token to generate a new access token, POST a call to the following authentication URL:
https://<<hostName>>/api/authentication/access_token
Include the following HTTP headers:
Content-Type : application/x-www-form-urlencoded
Include the following in the request body:
refresh_token : <<refresh_token>>
client_id : <<client ID>>
client_secret : <<client password>>
grant_type : refresh_token
auth_chain : OAuthLdapService
A successful call returns:
access_token
: A string representing the access token.scope
: The server uses this response parameter to inform the client of the scope of the issuedaccess_token
.token_type
: Defines the type of token profile issued by the server, such asBearer
ormac
. This enables the client to successfully utilize theaccess token
.expires_in
: Lifetime in seconds of theaccess_token
.
Revoke a token
You can revoke both access and refresh tokens.
Revoking an access token does not revoke the refresh token issued alongside that access token.
Revoking a refresh token also revokes any access tokens generated alongside or through the use of that refresh token.
Note: If you have multiple access tokens for a single user that were obtained using different authorization grants, you must make multiple calls to the revoke token endpoint to invalidate each token.
To revoke a token, POST a call to the following authentication URL:
https://<<hostName>>/api/authentication/token/revoke
Include the following HTTP headers:
Content-Type : application/x-www-form-urlencoded
Include the following in the request body:
token : <<access_or_refresh_token>>
client_id : <<client ID>>
client_secret : <<client password>>
A successful call returns an HTTP 200 status code.
Code examples
The following code examples demonstrate generating and refreshing a token using cURL and Java OkHttp.
Generate tokens
The following code examples demonstrate calls that request an access token and refresh token.
cURL
curl -X POST \
https://<<hostName>>/api/authentication/access_token \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'username=<<username>>&password=<<password>>&client_id=<<client ID>>&client_secret=<<client password>>&grant_type=password&auth_chain=OAuthLdapService'
Java OkHttp
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, "username=<<username>>&password=<<password>>&client_id=<<client ID>>&client_secret=<<client password>>&grant_type=password&auth_chain=OAuthLdapService");
Request request = new Request.Builder()
.url("https://<<hostName>>/api/authentication/access_token")
.post(body)
.addHeader("content-type", "application/x-www-form-urlencoded")
.build();
Response response = client.newCall(request).execute();
This call returns a response body similar to the following example:
{
"access_token": "7a398ff1-1ec4-40de-a21a-f1df5f977710",
"refresh_token": "ae131028-414c-4fb7-b17d-4a0769bbcd96",
"scope": "givenName mail nonce openid profile sn uid",
"id_token": "<<value>>",
"token_type": "Bearer",
"expires_in": 1799
}
You must parse the response to fetch the value of access_token
for your API calls.
Refresh a token
The following code examples demonstrate refreshing an access token using a refresh token.
cURL
curl -X POST \
https://<<hostName>>/api/authentication/access_token \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'refresh_token=<<refresh_token>>&client_id=<<client ID>>&client_secret=<<client password>>&grant_type=refresh_token&auth_chain=OAuthLdapService'
Java OkHttp
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, "refresh_token=<<refresh_token>>&client_id=<<client ID>>&client_secret=<<client password>>&grant_type=refresh_token&auth_chain=OAuthLdapService");
Request request = new Request.Builder()
.url("https://<<hostName>>/api/authentication/access_token")
.post(body)
.addHeader("content-type", "application/x-www-form-urlencoded")
.build();
Response response = client.newCall(request).execute();
This call returns a response body similar to the following example:
{
"access_token": "4bb7e58a-eddf-4ae0-aaf8-14a748d7c25c",
"scope": "givenName mail nonce openid profile sn uid",
"id_token": "<<value>>",
"token_type": "Bearer",
"expires_in": 1799
}
Revoke a token
The following code examples demonstrate revoking an access or refresh token.
cURL
curl -X POST \
https://<<hostName>>/api/authentication/token/revoke \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'token=<<access_or_refresh_token>>&client_id=<<client ID>>&client_secret=<<client password>>'
Java OkHttp
OkHttpClient client = new OkHttpClient();
MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, "token=<<access_or_refresh_token>>&client_id=<<client ID>>&client_secret=<<client password>>");
Request request = new Request.Builder()
.url("https://<<hostName>>/api/authentication/token/revoke")
.post(body)
.addHeader("content-type", "application/x-www-form-urlencoded")
.build();
Response response = client.newCall(request).execute();
A successful call returns an HTTP 200 status code.
Federated identity management systems
If you are using a token provided by an OAuth compatible federated identity management (IDP) system that has been properly interfaced with your tenant, include the federated token as your access_token
value just as you would use a normally-generated access_token
.
If you are building an application intended to interface with a wide vatiety of tenants, each of which might use a different IDP with a variety of possible configurations, or if your application needs to be able to request a set of tokens from a tenant interfaced with a federated identity management system that is not able to provide tokens directly, refer to the Authenticate with federated user accounts topic.
Manage UI sessions
The API allows you to manage certain aspects of UI sessions. For example, you can log out a UI session using the API call described in the Manage UI sessions topic.
Make an API call
If you are ready to use your generated access token to make an API call, proceed to the Quick Start topic.
Updated 8 months ago