This flow should only be used if authorization code flow or it’s Proof Key for Code Exchange (PKCE) extension can not be used.
Getting the access_token
You need to use client_id and client_secret
together with the user’s credentials to get an access_token.
To do that, you need to do a POST HTTP request to the token URL of your Provider (e.g. https://[providerFQDN]/oauth/token) with the following parameters:
|
username required |
string | The {url-user}[Resource Owner’s] username |
|
password required |
string | The {url-user}[Resource Owner’s] |
|
grant_type required |
string | Should be |
|
scope required |
string | A space-separated list of strings (e.g. openid phone email) representing different {url-scope}[ |
In order to authenticate the Application, you need to send an authorization header with the HTTP Basic Authentication Scheme
using your client_id and client_secret as shown in the example below:
const authorization_header = "Basic " + btoa(client_id + ":" + client_secret);Following this request, you will get a response from Connect containing the following:
-
An
access_tokenrepresenting the User’s credentials for your Application. The receivedaccess_tokenis a JSON Web Token (JWT) and has a validity of one hour. -
A
refresh_tokenthat you can use to, as the name implies, refresh anaccess_tokenthat has expired to get a new pair ofaccess_token/refresh_token
|
Note
|
The length of tokens can vary and exceed 255 characters. Keep that in mind if you want to store them in a database as a VARCHAR will not be large enough.
|
|
Warning
|
Both the access_token and the refresh_token are sensitive information and should NEVER be shared.
|
Code Sample
The following code shows how your Application can request an access_token
with a client_id and client_secret.
|
Note
|
For the sake of clarity, we’re using the following node packages:
- |
|
Caution
|
The following code is not production ready |
// app.js
const request = require("request");
const jwt = require("jsonwebtoken");
const authorization_header = "Basic " + btoa(client_id + ":" + client_secret);
const request_object = {
url: "https://[providerFQDN]/oauth/token",
headers: {
"Authorization": authorization_header
},
form: {
username: username,
password: password,
grant_type: "password",
scope: scope
}
};
request.post(
request_object,
function(err, httpResponse, body) {
const json_response = JSON.parse(body);
jwt.verify(json_response.access_token, client_secret, function(err, decoded_jwt) {
if (err !== null) {
// something went wrong
} else {
// Yay! 🤗 Your User has successfully authenticated
// `decoded_jwt` contains the information about the token
}
});
}
);