A simple explanation of OAuth2 flow for client_credentials and refresh_token grant type

01/06/2019 - PHP

This post just gives you basic idea of how OAuth2 client_credentials and refresh_token grant types work with examples. Apart from this, you should also be aware of The OAuth 2.0 Token Introspection endpoint that gives meta-information about tokens.



For more information please read The OAuth 2.0 Authorization Framework.


Client Registration Flow


Info to read: Protocol Flow / Client Registration


Request


curl -X POST https://api.hello.com/v1/{clients|register}
-H 'Content-Type: application/json'
-d '{"username":"client-email@domain.com","password":"client-password"}'

Response


201 Created
{
  "client_id": "ID",
  "client_key": "KEY",
  "client_secret": "SECRET"
}

Client Credentials Flow


Info to read: Client Credentials Grant / Access Token Request / Access Token Response. The S0VZOlNFQ1JFVA== below is base64_encode of KEY:SECRET combination.


Request


curl -X POST https://api.hello.com/v1/oauth/token
-H 'Authorization: Basic S0VZOlNFQ1JFVA=='
-H 'content-type: application/x-www-form-urlencoded'
-d 'grant_type=client_credentials'

Response


200 OK
Cache-Control: no-store
Pragma: no-cache
{
  "access_token": "ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "REFRESH_TOKEN"
}

Refresh Token Flow


Info to read: Refresh Token / Refreshing Token an Access Token


Request


curl -X POST https://api.hello.com/v1/oauth/token
-H 'Authorization: Basic S0VZOlNFQ1JFVA=='
-H 'content-type: application/x-www-form-urlencoded'
-d 'grant_type=refresh_token&refresh_token=REFRESH_TOKEN'

Response


200 OK
Cache-Control: no-store
Pragma: no-cache
{
  "access_token": "NEW_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "NEW_REFRESH_TOKEN"
}

Consuming OAuth2 Authenticated APIs


Request


curl -X GET https://api.hello.com/v1/resource
-H 'Authorization: Bearer ACCESS_TOKEN'