Forum Discussion

Hari329's avatar
Hari329
Adept
10 years ago

Using the authorization grant flow via a back-end API call

Hi ,   We are planning to use " authorization grant flow  via a back-end API call ". Could you please let me know the process to get the access token and refresh token after we create API-only user...
PaoloT's avatar
PaoloT
Lithium Alumni (Retired)

Hi Hari329

 

further to the above. The documentation mentions the following

Using the authorization grant flow  via a back-end API call

The authorization grant flow assumes that a web browser is involved during authentication.  If you want to use a back-end API call for OAuth, create an API-only user with appropriate permissions to make the API calls. This API-only user must login once through the community using the authorization flow to receive access and refresh tokens. From there on subsequent authenticated, backend API calls can be made  using the tokens.

What that means is, even if the user will be used for back end calls, they will still need to go trough the standard OAuth interactive exchange for the first login, to make sure that you can get a valid access token and refresh token for that user.  The below diagram (from the KB page) depicts the interactive exchange (which is the same used for normal, non API users)

oauth.png

 

At the end of the process (which can be initiated with any suitable HTTP client, manually) you will have obained an access token and a refresh token and you can then store them in your application for subsequent calls.

 

SuzieH - it looks like our KB page may need some more detail to avoid confusion around this manual step required for backend users. Is that something you can help with?

 

Thanks,

 

Hari329's avatar
Hari329
Adept
10 years ago

Hi ,

 

Thanks a lot for clarifications and updating documentation. Below is summary of our understanding :

 

  1. Obtaining access and refresh key is one time process which can be achieved by manual log in process.
  2. Once we obtain these keys using this manual log in process , refresh key can be used for subsequent calls for retrieving data as refresh key will never expire.

 

Please correct me if any one if above statement is wrong.

 

I have tried to obtain access and refresh tokens in below way :

 

  1. Accessed our community site
  2. Loged in using Sign In option available

 before log in.JPG

  1. Used my credentials which were granted with API-only permissions to sign in. Below is screenshot after sign in :

 

 after log in.png

  1. I couldn’t see any option/link to retrieve access and refresh tokens.

 

Could you please correct me If I am doing wrong process here ? And also please point me from where I can request for access and refresh token.

 

And also as per documentation (Request authorization section of - http://community.lithium.com/t5/Community-API-v2/OAuth-2-0-authorization-grant-flow/ta-p/138402#getAuthorizationcode), I have tried below process to retrieve authorization code :

 

https://www.rbs-communities.co.uk/auth/oauth2/authorize?client_id=wPfOkT3FhtL6ZZTFCzWGajoUXC4hUbtAtF1h/Y4ck8w=&response_type=code&redirect_uri=www.rbs-communities.co.uk/getaccesstoken

 

But seeing below error :

 error.JPG

 

Its mentioned that he redirect_uri used in the authorization request must match the callback URL defined for the community. Who will be providing this ?