pub.oauth:getAccessToken
WmPublic.
Deprecated - Replaced by
pub.oauth:getToken.
Requests an access token from the Integration Server acting as the authorization server.
The authorization server validates the request and generates an access token and a refresh token (if the grant type supports it and the client is configured to get refresh tokens). The tokens, along with the client identifier, token expiration interval, and scope are stored in the authorization server's cache.
Input Parameters
grant_type | String Specifies the type of grant flow required by the client. Specify one of the following: authorization_code client_credentials password |
client_id | String. Optional. The client identifier generated by the authorization server when the client application is registered. The client_id is used to authenticate the client to the authorization server. Public clients must provide a value for client_id. Confidential clients do not need to provide a value for this parameter because they are required to use HTTP authentication to identify themselves. The service ignores the client_id value when the grant_type is client_credentials. |
code | String. Optional. The OAuth authorization code received from the authorization server. A code value is required when the grant_type is authorization_code. Integration Server ignores code for all other grant types. |
redirect_uri | String. Optional. The URI the authorization server will use to redirect the client when the client is authorized. A redirect_uri value is required when the grant_type is authorization_code and the client registration specifies more than one redirect URI. The redirect_uri value must match the redirect URI supplied to the pub.oauth:authorize service. The service ignores redirect_uri for all other grant types. |
scope | String. Optional. Specify the name of one or more scopes required by the client. Use a space to separate multiple scopes. The scope value is used when grant_type is client_credentials or password. The scope value is ignored for other grant_type values. |
username | String. Optional. The user name of the resource owner. A username is required when the grant_type is password. The service ignores username for all other grant types. |
password | String. Optional. The password of the resource owner. A username is required when the grant_type is password. The service ignores password for all other grant types. |
Output Parameters
access_token | String The access token issued by the authorization server. |
token_type | String The type of access token issued by the authorization server. The value is Bearer. |
expires_in | String The number of seconds for which the access token is valid. |
refresh_token | String. Optional. The refresh token issued by the authorization server. You can use this token to obtain new access tokens using the same authorization grant. If the client is registered with a refresh limit of 0, no refresh token is issued. |
Usage Notes
The
pub.oauth:getAccessToken service is deprecated. Use the
pub.oauth:getToken service instead.
The pub.oauth:getAccessToken service can be used with authorization code, resource owner password credentials, and client credentials grant flows.
The pub.oauth:getAccessToken service is the token endpoint for the Integration Server acting as the authorization server. The token endpoint URL is:
https://host:port/invoke/pub.oauth/getAccessToken
The pub.oauth:getAccessToken service must be invoked using HTTPS unless the Require HTTPS setting on the Security > OAuth > Edit OAuth Global Settings page is disabled.
Clients must invoke the pub.oauth:getAccessToken service via an HTTP POST request unless the watt.server.oauth.requirePost server configuration parameter is set to false. When this parameter is set to false, clients can invoke this service using HTTP GET.
Confidential clients must authenticate requests by supplying their credentials in the HTTP Authorization header.
Authentication code is not persisted in the database. If Integration Server is restarted after the authorization code is issued but before the access token is requested, Integration Server will reject the request for the access token.
The token_type output parameter is always Bearer. The authorization server retains the information about the bearer tokens it issues, including the user information. When the client presents a bearer token to the resource server, the resource server checks with the authorization server to see whether the user is allowed to access the requested folders and services.
The tokens, authorization codes, and client information are stored in the authorization server's caches. By default, these caches maintain up to 1000 elements in memory and 20000 elements on disk. If the cache size is exceeded, OAuth performance can be affected on
Integration Server and can lead to errors if the disk runs out of space. If you anticipate that your authorization server's cache will exceed the default size, you should increase the
Maximum Elements In Memory,
Maximum Elements On Disk, or
Maximum Off-Heap settings for
Integration Server. For information about changing these settings, see
the section Working with Caches in the webMethods Integration Server Administrator’s Guide.
Working with Caches. If the cache is distributed, see the
BigMemory Max product documentation for 4.1 at
www.terracotta.org/documentation for additional considerations when sizing distributed caches.