Headless API Access with Authorization code

Authorization Code is one of the auth types available for accessing headless APIs. But there are a few steps that have to be taken care of which helps in achieving that. 

1. Create an Oauth Administration entry with all parameters and enable Authorization Code and refresh token(which will be useful to get new access taken once the previous token expires).

2. Click on the checkbox for trusted application which will skip user authorization.

3. In case we need to make the user authorize the application for auth access, permission has to be set as follows. Go to Control Panel -> Users -> Roles -> User -> Define Permissions -> OAuth2 Administration. Provide access to Add OAuth 2 Remember Device, Add OAuth 2 Trusted Application

4. We need to configure the permissions for the roles that can access this component as follows. Go to Control Panel -> Users -> Roles -> User -> Define Permissions -> OAuth2 Administration. Provide access to create tokens, revoke tokens, and view

5. The most common OAuth flow is the Authorization Code flow, used for web applications. The URL for this requires the following request parameters:

  • response_type
  • client_id

To construct a URL for this authorization, therefore, follow this pattern:

https://[hostname]/o/oauth2/authorize?response_type=code&client_id=[client ID]

The client ID comes from registering the application. It’s automatically generated (though you can change it if you edit the application). Hit the URL and it will redirect to the callback url as 

[your callback URI]?code=[authorization server generated code]

 

Your application must then exchange this authorization code for an access token by sending a POST request following this pattern:

https://[hostname]/o/oauth2/token

With the following parameters in the body (encoded as application/x-www-form-urlencoded):

client_id=[client ID]
client_secret=[client secret]
grant_type=authorization_code
code=[authorization server generated code]
redirect_uri=[registered callback URI]

In the body of HTTP response to this request, you will receive JSON like this:

{
	"access_token": "[authorization server generated access token]",
	"token_type": "Bearer",
	"expires_in": 600,
	"scope": "[the scopes that were authorized by the user]",
	"refresh_token": "[authorization server generated refresh token]"
}

From this, you should extract and persist the access token. If you intend to use the token for an indefinite amount of time (beyond 600 seconds from the above example) you also need the refresh token. Get new access token by sending a POST request following this pattern:

http://localhost:8080/o/oauth2/token 

With the following parameters in the body (encoded as application/x-www-form-urlencoded):

client_id=[client ID]

client_secret=[client secret]

grant_type=refresh_token

refresh_token=[refresh token]

redirect_uri=[registered callback URI]

The response will be similar to the get auth token call with auth code.