stackoom
  简体   繁体   中英

Obtain Bearer token, using only Client ID and Secret. Is it possible

 原文  2016-07-22 10:48:01       java/ oauth-2.0/ wso2-am

Question

I have WSO2 API Manager on a standalone machine. I have a java client (Assume PSVM) with necessary Client Id and Secret of the registered application on APIM. Can we obtain the Bearer Token using only Client Id and Secret in Java.

Help appreciated, please.

I have following code but, it requires username and password.

public Token getToken(String username, String password, String scopes){ 

    String submitUrl = GenarateAccessTokenConfiguration.getInstance().getLoginURL();
    String consumerKey = GenarateAccessTokenConfiguration.getInstance().getConsumerKey();
    String consumerSecret = GenarateAccessTokenConfiguration.getInstance().getConsumerSecret();

    try {
        String applicationToken = consumerKey + ":" + consumerSecret;
        BASE64Encoder base64Encoder = new BASE64Encoder();
        applicationToken = "Basic " + base64Encoder.encode(applicationToken.getBytes()).trim();

        String payload = "grant_type=password&username="+username+"&password="+password+"&scope="+scopes;
        HttpResponse httpResponse = httpClient.doPost(submitUrl,applicationToken,
                payload,"application/x-www-form-urlencoded");
        if (httpResponse.getStatusLine().getStatusCode() != 200) {
            return null;
        }
        String response = httpClient.getResponsePayload(httpResponse);


        System.out.println("JSON Response : "+response);


        return JSONClient.getAccessToken(response);
    } catch (IOException e) {
        e.printStackTrace();
        return null;
    }
}

public Token getTokenWithScopes(String username, String password, String scopes){
    String submitUrl = GenarateAccessTokenConfiguration.getInstance().getLoginURL();
    String consumerKey = GenarateAccessTokenConfiguration.getInstance().getConsumerKey();
    String consumerSecret = GenarateAccessTokenConfiguration.getInstance().getConsumerSecret();
    try {
        String applicationToken = consumerKey + ":" + consumerSecret;
        BASE64Encoder base64Encoder = new BASE64Encoder();
        applicationToken = "Basic " + base64Encoder.encode(applicationToken.getBytes()).trim();

        String payload = "grant_type=password&username="+username+"&password="+password+"&scope="+scopes;
        HttpResponse httpResponse = httpClient.doPost(submitUrl,applicationToken,
                payload,"application/x-www-form-urlencoded");
        if (httpResponse.getStatusLine().getStatusCode() != 200) {
            return null;
        }
        String response = httpClient.getResponsePayload(httpResponse);
        return JSONClient.getAccessToken(response);
    } catch (IOException e) {
        e.printStackTrace();
        return null;
    }
}

2 answers

solution1
 0  2016-07-22 23:31:31

You may look into its token API :

Users need access tokens to invoke APIs subscribed under an application. Access tokens are passed in the HTTP header when invoking APIs. The API Manager provides a Token API that you can use to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API.

The following topic explain how to generate/renew access tokens and authorize them. WSO2 API Manager supports the four most common authorization grant types and you can also define additional types.

  • Exchanging SAML2 Bearer Tokens with OAuth2 - SAML Extension Grant Type
  • Generating Access Tokens with Authorization Code - Authorization Code Grant Type
  • Generating Access Tokens with NT LAN Manager - NTLM Grant Type
  • Generating Access Tokens with User Credentials - Password Grant Type

solution2
 0  2016-07-23 03:08:00

If you check the Oauth2 grant types, you could find an answer for this. WSO2 API manager supports all grant types (Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials mentioned in OAuth 2.0 spec ). Each grant type has different flow to generate access token.

Resource Owner Password Credentials grant type (or password grant type) which you are using now needs username and password to generate the token. If you want to use client secret and client id, then you can use client credential grant type. see client credential grant type section

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question OpenID Connect (JWS): Using client secret as HMACSHA-256 key for verifying ID Token How to generate oauth token, client id and secret using gcloud or Google Cloud Java SDK Get id_token from Google API OAuth using username, password, client_id - without client_secret How to connect Share point for app only via clientid & client secret to get the access token on azure Using JAVA HttpClient post to obtain a Bearer token from keycloak How authorize in Spring OAuth2 by client_id and secret only? Getting a client to use a bearer token I send it How to retrieve access token, with parameters: Client_ID, Client_Secret, Auth_Url, Access_token_URL? Obtain id_token with Keycloak How to use only Client_id and Client_secret in OAuth2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM