3.3 Obtaining a server-to-server access token

Once you have configured MyID to allow server-to-server access, set up the user account for the API, configured the shared secret, and set up the web.oauth2 web service to recognize your external system, you can request an access token that you can then use to call the API.

3.3.1 Requesting an access token

Request the access token from the following location:

https://<myserver>/web.oauth2/connect/token

POST a request in application/x-www-form-urlencoded format.

You must provide the following parameters:

You must also provide an Authorization header containing "Basic " followed by your client ID and shared secret, combined in a single Base64 string.

For example, if your client ID is:

myid.mysystem

and the secret is:

82564d6e-c4a6-4f64-a6d4-cac43781c67c

the combination is:

myid.mysystem:82564d6e-c4a6-4f64-a6d4-cac43781c67c

and the Base64 string is:

bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=

and the authorization token is:

Basic bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=

Important: Do not use this example secret in your own system.

For example (using cURL):

Copy
curl -k -i -H "Content-Type: application/x-www-form-urlencoded" -X POST "https://myserver.example.com/web.oauth2/connect/token" -d "grant_type=client_credentials&scope=myid.rest.basic" -H "Authorization: Basic bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M="

or using PowerShell:

Copy
$combined = "bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M="

# Set up the body of the request
$body = @{grant_type='client_credentials'
    scope='myid.rest.basic'
    }
# Set up the header of the request
$header = @{'Content-Type'='application/x-www-form-urlencoded'
    Authorization="Basic $combined"
    }

# Request the access token
Invoke-WebRequest -Method POST -Uri 'https://myserver.example.com/web.oauth2/connect/token' -body $body -Headers $header | Select-Object -Expand Content

#Wait for a keypress
Write-Host "`r`nPress any key to continue..." -ForegroundColor Yellow

[void][System.Console]::ReadKey($true)

An alternative method, passing the client_id and client_secret in the body rather than in the header:

Copy
# Set up the body of the request
$body = @{grant_type='client_credentials'
    scope='myid.rest.basic'
    client_id='myid.mysystem'
    client_secret='82564d6e-c4a6-4f64-a6d4-cac43781c67c'
    }
# Set up the header of the request
$header = @{'Content-Type'='application/x-www-form-urlencoded'
    }

# Request the access token
Invoke-WebRequest -Method POST -Uri 'https://myserver.example.com/web.oauth2/connect/token' -body $body -Headers $header | Select-Object -Expand Content

#Wait for a keypress
Write-Host "`r`nPress any key to continue..." -ForegroundColor Yellow

[void][System.Console]::ReadKey($true)

You can also use utilities such as SoapUI:

The request returns a block of JSON containing the following:

For example:

Copy
{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4ckl2ZDdmMGUwPSIsInR5cCI6ImF0K2p3dCJ9.eyJuYmYiOjE2MTY2ODc5MzcsImV4cCI6MTYxNzA0NzkzNywiaXNzIjoiaHR0cHM6Ly9yZWFjdC5kb21haW4zMS5sb2NhbC93ZWIub2F1dGgyIiwiYXVkIjoibXlpZC5yZXN0IiwiY2xpZW50X2lkIjoibXlpZC5teXN5c3RlbSIsIm15aWRTZXNzaW9uSWQiOiItMTE1NzA0NDEzMSwzNzkxQTc1NC0yNjc4LTQzQUItODdCOS1EQzIyODIwODhCRTIiLCJqdGkiOiJCM0IwMjRBQzlEMEVGREE4RDBGRkJGMDIwQUE2QzQ3QyIsImlhdCI6MTYxNjY4NzkzNywic2NvcGUiOlsibXlpZC5yZXN0LmJhc2ljIl19.qtJUlofaz3gaZIeGzZ0DcqpXtUCjuPtrjpeU35QbdMq2_kEQZWugLwRvWWs_sk_cFu-Z4SesNQcFn8c-Ph8lGvujd7mfoh5UiKenZ5C0IsdLsEpK2BmCkxN7ENpeAfRYVeMv3zTqvuilZ-nwy3OyD_c9GDLEt0qO-lqvb5HTVmdzaSdOYI5TWr-sGkre7SP4_PP9WNq30xTjrCB1UgtIkjLkPsB3yQjFcEVnD6x0vZwWNqeaxlWbP6yjD8UG57ftz-aKf_XGybVE1DG1LlvEwfe_ALg5afnl89453l_8dUQnawbgycIYT2IKgKyxqLX2bnouCV3d56hixsdDM87s_A","expires_in":3600,"token_type":"Bearer","scope":"myid.rest.basic"}

You can now use this access token to call the API.

See section 5.1, Calling the API from an external system for more information on using an access token.

3.3.2 Providing a client identifier

MyID captures the IP address and the client identifier of the PC used to carry out the audited operation, and stores this information in the audit trail; see the Logging the client IP address and identifier section in the Administration Guide for more information.

You can provide a client identifier for your grant request by setting a value for the CLIENT_IDENTIFIER header in the request.

Note: You can change the name of the header if required; the name of the header is specified in the MyID:ClientIdentifierHeader of the appSettings.json file of the web.oauth2 web service.