Authorization Code Flow
If your client has Authorization Code grant type, you can request an access token using Postman.
You can find a step by step instruction here: https://learning.postman.com/docs/postman/sending-api-requests/authorization/#oauth-20
You can learn more about OpenId Connect Authorization Code flow from these resources:
- • for hard-core lovers of specs https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
- • for those who prefer things explained simpler https://connect2id.com/learn/openid-connect
- • some more info https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
But if you need more guidance, which is Connect API specific, here it comes.
In the Authorization tab for a request, select OAuth 2.0 from the Type dropdown list. Specify that you want to pass the auth details in the request headers.
To request an access token, click Get New Access Token.
The list of parameters to request a new access token is as follows
- • Token Name: The name you want to use for the token.
- • Grant Type: Authorization Code for this flow.
- • Callback URL: The client application callback URL redirected to after auth, and that should be registered within our Identity Server. For SaltoKS Web app the values are:
- • Access Token URL: The endpoint of our Identity Server, to exchange an authorization code for an access token.
- • Client ID: The ID for your client application registered within our Identity Server.
- • Client Secret: If your application is a confidential (private) client, you will also receive a client secret from us. if your application is a public client, there is no secret needed for authentication. To find out more about different application types go here.
- • Scope: The scope of access you are requesting, which may include multiple space-separated values. For Connect API values are:
- • user_api.full_access (this scope grants access to all public endpoints of Connect API)
- • openid
- • profile
- • offline_access (optional, specify it if you want to request a refresh token)
- • State: TAn opaque value to prevent cross-site request forgery. This is a random value.
- • Client Authentication: Send a Basic Auth request in the header
Login in your client app. If you are using SaltoKS Web app front end, then the login screen will look like this:
After you have inserted your credentials, you’ll be presented with a consent form.
Click YES, ALLOW
Now you have an access token (and maybe a refresh token) that you can use to make API calls to Connect API. Click Use Token to add it to current request, or copy and paste it to your environment variables to reuse it between requests. In either way the token should be sent in Authorization request header as a Bearer token.