Getting access tokens with the authorization code grant

Instructions for getting access tokens with the authorization code grant flow.

Login as admin in Swagger UI

  1. Go to https://localhost:8443/api/swagger/default.

  2. Select Authorize.

  3. Enter the following values in the form:

    Key Value
    client_id admin-swagger
    client_secret n8HF35qzZkmsukHJzzz9LnN8m9Mf97uq
  4. Select Authorize.

  5. Select Close.

Create the client

  1. Select POST /api/admin/{tid}/clients API.

  2. Select Try it out.

  3. Enter default as tid (tenant ID).

  4. Use the following json as the body:

    {
        "authorization_server_id": "default",
        "client_id": "client",
        "client_secret": "wPeimtcljkdBeG19Xc3OXD41iZo0zxdg",
        "client_name": "My app",
        "grant_types": [
            "authorization_code"
        ],
        "redirect_uris": [
            "https://example.com/callback"
        ],
        "response_types": [
            "token",
            "id_token",
            "code"
        ],
        "scopes": [
        "email",
        "openid"
        ]
    }
    
  5. Select Execute.

Make the authorize request

  • Your application initializes a redirect in the browser to the following URL:

    https://localhost:8443/default/default/oauth2/authorize
    ?client_id=client
    &scope=openid
    &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback
    &response_type=code
    
  • The user authenticates and approves the access to the data on the consent page.

    Note

    To test the authentication, you can use the user:user credentials.

Exchange the authorization code

  • Once the user has granted the access to application, the authorization server makes a redirect to the requested redirect_uri with the authorization code in the query parameter.

    https://example.com/callback
    ?code=Rl1OCBIpNH5h1VCmKS0GA5wC2fIHGw9nh6i3vc8ijPE
    
  • Your application exchanges the authorization code for the access and ID tokens.

    curl -X POST -k https://localhost:8443/default/default/oauth2/token \
    -u "client:wPeimtcljkdBeG19Xc3OXD41iZo0zxdg" \
    -H "Content-type: application/x-www-form-urlencoded" \
    -d "grant_type=authorization_code&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&code=Rl1OCBIpNH5h1VCmKS0GA5wC2fIHGw9nh6i3vc8ijPE"
    

Expected response

{
   "access_token": "..",
   "expires_in": 3600,
   "id_token": "..",
   "scope": "openid",
   "token_type": "bearer"
}