Skip to content

Token API

Client ID and client secret will be provided for API access. OAuth2 client credentials flow will be used for getting the access token. The returned access token will be used for authenticating each request.

Example

The REST URL to invoke on is /auth/realms/{realm-name}/protocol/openid-connect/token. Invoking on this URL is a POST request and requires you to post the client credentials. By default, client credentials are represented by clientId and clientSecret of the client in Authorization: Basic header, but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication. You also need to use the parameter grant_type=client_credentials as per the OAuth2 specification.

For example the POST invocation to retrieve a service account can look like this:

POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

or

curl --request POST 'https://test.bauexpress.ro/auth/realms/bauexpress/protocol/openid-connect/token' \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data-urlencode 'client_id=${client_id}' \
     --data-urlencode 'client_secret=${client_secret}' \
     --data-urlencode 'grant_type=client_credentials'


The response would be this standard JSON document from the OAuth 2.0 specification.

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
    "expires_in":60
}

There is the only access token returned by default. There is no refresh token returned and there is also no user session created on the BauExpress side upon successful authentication by default. Due the lack of refresh token, there is a need to re-authenticate when access token expires, however this does not mean any additional overhead on BauExpress server side due the fact that sessions are not created by default.

{
  "access_token": "${access_token}",
  "expires_in": 300,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "profile email"
}