Software AG Products 10.5 | Using API Gateway | Usage Scenarios | Secure API using OAuth2 with refresh token workflow | Refresh Token Process Flow | How to get the access token with resource owner permission?
 
How to get the access token with resource owner permission?
This use case starts when you get the authorization code and ends when you access then API.
*To get access token using authorization code grant type (With resource owner permission).
1. Get authorization code.
a. Click the http(s)://hostname:port/invoke/pub.apigateway.oauth2/authorize?response_type=code&redirect_uri=< redirectURI>&client_id=<Client ID>.
Note:
Make sure you have replaced the <redirectURI> and <ClientID> in the above mentioned URL. You can get the redirect URI and client ID from the Authentication tab of the Application screen.
b. Click the Approve button.
c. Enter the credentials of your API Gateway instance.
You will be re-directed to the redirect URI as per to the configuration. The below screenshot is just a sample, you will be redirected to a different URL based on your configuration and so the screenshot varies accordingly . If the given redirect URI is not a valid web page, you may get a Page not found error, which is fine, because we get the authorization code value from the browser URL.
d. Make a note of the authorization code that is displayed in the address bar of the browser. As highlighted in the above image's URL, you can see the authorization code in the code= field of the URL.
2. Get Access Token.
a. Invoke the access token endpoint.
Request: POST http(s):// hostname:port /invoke/pub.apigateway.oauth2/getAccessToken
In the Authorization tab, select the authorization type as Basic Auth. Provide the client ID as username and client secret as password. You can get the client ID and client secret in the Authentication tab of the Application screen.
Sample request body
{
"redirect_uri":"http://test.com",
"scope":"email",
"grant_type":"authorization_code",
"code":"4b4b16c68f1c4b6fa7f26e0cb00b5daa"
}
Note:
You must replace the redirect_URI, scope, and code with appropriate values. For the code field value, make sure you use the authorization code that you have noted down in the previous step.
Sample response body
{
"scope": "TestRefreshtoken",
"access_token": "c92b6227a19c46f1a6545bf370bb6ee6e30ff87957ef4b1aaa9577f7e86e4bd7",
"refresh_token": "f78dd4fc5b8d4d799cf066427e828e26ce7e3723e4334416a7b9cd8a274e6947",
"token_type": "Bearer",
"expires_in": 3600
}

3. Access API using the REST API client.
In the Authorization tab, select the authorization type as Bearer Token and provide the access token that you get from the response payload of the previous step.