3.3 Obtaining a server-to-server access token
Once you have configured MyID to allow server-to-server access, set up the user account for the API, configured the shared secret, and set up the web.oauth2 web service to recognize your external system, you can request an access token that you can then use to call the API.
3.3.1 Requesting an access token
Request the access token from the following location:
https://<myserver>/web.oauth2/connect/token
POST a request in application/x-www-form-urlencoded format.
You must provide the following parameters:
-
grant_type=client_credentials
-
scope=myid.rest.basic
You must also provide an Authorization header containing "Basic " followed by your client ID and shared secret, combined in a single Base64 string.
For example, if your client ID is:
myid.mysystem
and the secret is:
82564d6e-c4a6-4f64-a6d4-cac43781c67c
the combination is:
myid.mysystem:82564d6e-c4a6-4f64-a6d4-cac43781c67c
and the Base64 string is:
bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=
and the authorization token is:
Basic bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=
Important: Do not use this example secret in your own system.
For example (using cURL):
curl -k -i -H "Content-Type: application/x-www-form-urlencoded" -X POST "https://myserver.example.com/web.oauth2/connect/token" -d "grant_type=client_credentials&scope=myid.rest.basic" -H "Authorization: Basic bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M="
or using PowerShell:
$combined = "bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M="
# Set up the body of the request
$body = @{grant_type='client_credentials'
scope='myid.rest.basic'
}
# Set up the header of the request
$header = @{'Content-Type'='application/x-www-form-urlencoded'
Authorization="Basic $combined"
}
# Request the access token
Invoke-WebRequest -Method POST -Uri 'https://myserver.example.com/web.oauth2/connect/token' -body $body -Headers $header | Select-Object -Expand Content
#Wait for a keypress
Write-Host "`r`nPress any key to continue..." -ForegroundColor Yellow
[void][System.Console]::ReadKey($true)
An alternative method, passing the client_id and client_secret in the body rather than in the header:
# Set up the body of the request
$body = @{grant_type='client_credentials'
scope='myid.rest.basic'
client_id='myid.mysystem'
client_secret='82564d6e-c4a6-4f64-a6d4-cac43781c67c'
}
# Set up the header of the request
$header = @{'Content-Type'='application/x-www-form-urlencoded'
}
# Request the access token
Invoke-WebRequest -Method POST -Uri 'https://myserver.example.com/web.oauth2/connect/token' -body $body -Headers $header | Select-Object -Expand Content
#Wait for a keypress
Write-Host "`r`nPress any key to continue..." -ForegroundColor Yellow
[void][System.Console]::ReadKey($true)
You can also use utilities such as SoapUI:
The request returns a block of JSON containing the following:
-
access_token – your access token.
-
expires_in – the lifetime in seconds for the token. Once the lifetime has expired, you must request a new access token.
-
token_type – always Bearer.
-
scope – the scope configured for the client in the web.oauth2 web service; usually myid.rest.basic.
For example:
{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4ckl2ZDdmMGUwPSIsInR5cCI6ImF0K2p3dCJ9.eyJuYmYiOjE2MTY2ODc5MzcsImV4cCI6MTYxNzA0NzkzNywiaXNzIjoiaHR0cHM6Ly9yZWFjdC5kb21haW4zMS5sb2NhbC93ZWIub2F1dGgyIiwiYXVkIjoibXlpZC5yZXN0IiwiY2xpZW50X2lkIjoibXlpZC5teXN5c3RlbSIsIm15aWRTZXNzaW9uSWQiOiItMTE1NzA0NDEzMSwzNzkxQTc1NC0yNjc4LTQzQUItODdCOS1EQzIyODIwODhCRTIiLCJqdGkiOiJCM0IwMjRBQzlEMEVGREE4RDBGRkJGMDIwQUE2QzQ3QyIsImlhdCI6MTYxNjY4NzkzNywic2NvcGUiOlsibXlpZC5yZXN0LmJhc2ljIl19.qtJUlofaz3gaZIeGzZ0DcqpXtUCjuPtrjpeU35QbdMq2_kEQZWugLwRvWWs_sk_cFu-Z4SesNQcFn8c-Ph8lGvujd7mfoh5UiKenZ5C0IsdLsEpK2BmCkxN7ENpeAfRYVeMv3zTqvuilZ-nwy3OyD_c9GDLEt0qO-lqvb5HTVmdzaSdOYI5TWr-sGkre7SP4_PP9WNq30xTjrCB1UgtIkjLkPsB3yQjFcEVnD6x0vZwWNqeaxlWbP6yjD8UG57ftz-aKf_XGybVE1DG1LlvEwfe_ALg5afnl89453l_8dUQnawbgycIYT2IKgKyxqLX2bnouCV3d56hixsdDM87s_A","expires_in":3600,"token_type":"Bearer","scope":"myid.rest.basic"}
You can now use this access token to call the API.
See section 5.1, Calling the API from an external system for more information on using an access token.