Overview
The following steps show how to authenticate with user name and password via OAuth2's Resource Owner Password Credentials (ROPC) grant.
For additional information and other options, see Authentication. Other authorization options usually also have different ways to refresh or invalidate a token.
Authentication should always use the following steps:
-
Acquire an access token
-
Use the access token for calls to CloudUX.
-
Refresh the token regularly.
-
When the session is not needed anymore: log out and invalidate the access token.
Acquire an access token
Steps:
-
Call
GET
on https://cloudux-host/auth where cloudux-host is the host name of your CloudUX installation. The result is a HAL resource with, among others, the linkauth:identity-providers
:{ "_links": { "auth:identity-providers": [ { "href": "https://cloudux-host/..." } ], ... } }
-
Call
GET
on the href of theauth:identity-providers
link rel. The response contains a list of identity providers in the property _embedded. One of them has a linkauth:ropc-default
:{ "_embedded": { "auth:identity-provider": [ { "_links": { "auth:ropc-default": [ { "href": "https://cloudux-host/..." } ] }, "kind": "oauth" }, ... ] } }
-
Send a
POST
request to the URL in the property href of that identity provider.-
Use an x-www-form-urlencoded body with:
-
grant_type=password
-
username
set to the user name of the caller -
password
set to the password of the caller
-
-
Set the HTTP header
Authorization
toBasic
followed by the HTTP basic authentication token from your app record.POST /auth/sso/login/oauth2/ropc/ad HTTP/1.1 Host: cloudux-host Content-Type: application/x-www-form-urlencoded Authorization: Basic {HTTP basic token from app record} Accept: application/json Content-Length: ** grant_type=password&username=johndoe&password=1234
-
-
The result contains the access token to use in the property access_token:
{ "access_token": "MzFlYjlhY2EtNDdiZC00MzhmLThiY2YtZGY5ODY2YmQ0ZGRk", "expires_in": 900, "token_type": "Bearer", ... }
The property expires_in contains the expiration time of the token in seconds.
Use the access token
There are two ways to use the access token for REST calls to CloudUX.
avidAccessToken cookie
The authentication call sets a cookie avidAccessToken with the access token as value. If your client implementation has proper cookie support, the calls to CloudUX will use that access token automatically.
Authorization header
You can set the Authorization header to Bearer
followed by your access token
to pass the access token to CloudUX:
Authorization: Bearer MzFlYjlhY2EtNDdiZC00MzhmLThiY2YtZGY5ODY2YmQ0ZGRk
Refresh the access token
Steps:
-
The original
GET
request to https://cloudux-host/auth above also returns the linkauth:token
:{ "_links": { "auth:token": [ { "href": "https://cloudux-host/...", "name": "current" } ], ... } }
-
Take the
auth:token
link and call the URI in the href with a valid access token in the Authorization header or the avidAccessToken cookie. The result contains information about the token and the linkauth-token:extend
:{ "_links": { "auth-token:extend": [ { "href": "https://cloudux-host/..." } ], ... }, ... }
-
Call the href of that link with HTTP method
POST
to extend the expiration time of the access token.
Log out
To log out and invalidate the access token:
-
The original
GET
request to https://cloudux-host/auth above also returns the linkauth:token
:{ "_links": { "auth:token": [ { "href": "https://cloudux-host/...", "name": "current" } ], ... } }
-
Take the
auth:token
link and call the URI in the href with a valid access token in the Authorization header or the avidAccessToken cookie. The result contains information about the token and the linkauth-token:extend
:{ "_links": { "auth-token:removal": [ { "href": "https://cloudux-host/..." } ], ... }, ... }
-
Call the href of that link with HTTP method
DELETE
to log out and invalidate the access token.
Previous page: Introducation and initial steps |
Up: Quick start |
Next page: Query the CTMS Registry |