In the Authorization Code grant type, the user can authenticate with the resource server and give the app consent to access protected resources without exposing username/passwords to the client app.
The authorization request is sent to the authorization endpoint to obtain an authorization code.
Step 1: Configure the OAuth Authorization End Point policy, provide the following parameter values in the Postman and click the Send button to get the authorization code:
- Method: GET.
- URL: Project proxy URL.
- Query Parameters:
- response_type: Must be set to code.
- client_id: The client identifier as assigned by the authorization server, when the client was registered (displayed as "Consumer Key" for the corresponding product subscribed by the client).
- redirect_uri: The redirect URI registered by the client.
URI: To get the oauth_code
Response: Response to the URI above:
Step 2: Configure the OAuth Token End Point policy, provide the following parameter values in the Postman and click the Send button to get the access token:
- Method: POST.
- URL: Project proxy URL.
- Query Parameters:
- client_id: The client identifier as assigned by the authorization server, when the client was registered (displayed as "Consumer Key" for the corresponding product subscribed by the client).
- client_secret: The client's password with which it got registered (displayed as "customer-secret" for the corresponding product subscribed by the client).
- grant_type: Must be set to authorization_code.
- code: The authorization code received from the authorization server at the end of Step 1.
redirect_uri: The redirect URI registered by the client. This value must be the same as that is assigned to the query parameter to gain an authorization code from the authorization server.
scope: The possible scope of the request. This parameter is OPTIONAL; refer to the Obtaining Access Token with Scope section to know about Scope.
URI: To get the oauth access-token
Sample requestResponse: Response to the URI consists of an access token and the time for which the token is valid and a refresh token. When a valid request is sent, the response will be as below.