5.2 Obtaining an access token

Follow the instructions in Obtaining an end-user based access token using PKCE section of the MyID Core API guide. You must carry out the following:

1. Generate a PKCE code verifier and code challenge.

   See the Generating a PKCE code verifier and code challenge section.

2. Obtain an authorization code from the authentication server, passing the PKCE code challenge.

   See the Requesting an authorization code section.

   When you post to the MyID authorization URL, set the client_id to the ID of your intranet system; for example:

   myid.intranet

   You set up this ID when you configured the authentication server; see section 5.1, Configuring web.oauth2 for user-based authentication.

3. Use the authorization code to request an access token, passing the PKCE code verifier.

   See the Requesting an access token section.

Once you have carried out this procedure, you will have a block of JSON containing an access_token that you can then use to authenticate to your embedded Operator Client screen.

5.2.1 Example requests

On your server, create the following pages.

The first page is default.asp – this page requests the authorization code.

<html>
<head>
  <title>Request authorization</title>
</head>
<body>
  <form method=post enctype="application/x-www-form-urlencoded" action="https://react.domain31.local/web.oauth2/connect/authorize">
    <p>Client id: <input type="text" name="client_id" value="myid.intranet"></p>
    <p>Scope: <input type="text" name="scope" value="myid.rest.basic"></p>
    <p>Redirect: <input type="text" name="redirect_uri" value="https://react.domain31.local/mysystem/callback.asp"></p>
    <input type="hidden" name="response_type" value="code">
    <input type="hidden" name="code_challenge" value="lzKaVv4bWu06z_m0yFynJj6zttnU5gYpXah8tLYKzGg">
    <input type="hidden" name="code_challenge_method" value="S256">
    <input type="submit">
  </form>
</body>
</html>

This page contains a simple form that calls the authorization endpoint.

• The client_id is set to myid.intranet – this must match the entry you added to the appsettings.Production.json file.

• The redirect_uri is set to https://react.domain31.local/mysystem/callback.asp – this must also be included in the appsettings.Production.json file.

  This is the page to which the server will return the authorization code.

• The code_challenge is set to lzKaVv4bWu06z_m0yFynJj6zttnU5gYpXah8tLYKzGg, which is the Base64 URL encoded SHA256 hash of the code verifier. The code challenge and the code verifier make up a pair of values that are used to ensure that the same person makes the call to the authorization endpoint and the token endpoint.

The second page is callback.asp – this page is passed the authorization code by the authentication server, and then allows you to request the access token.

<html>
<head>
  <title>Request access token</title>
</head>
<body>
  <form method=post enctype="application/x-www-form-urlencoded" action="https://react.domain31.local/web.oauth2/connect/token">
    <input type="hidden" name="grant_type" value="authorization_code">
    <p>Client id: <input type="text" name="client_id" value="myid.intranet"></p>
    <input type="hidden" name="code_verifier" value="TiGVEDHIRkdTpif4zLw8v6tcdG2VJXvP4r0fuLhsXIj">
    <p>Code: <input type="text" name ="code" value ="<%
response.write(request.querystring("code"))
%>"</p>
    <p>Redirect: <input type="text" name="redirect_uri" value="https://react.domain31.local/mysystem/callback.asp"></p>
    <input type="submit">
  </form>
</body>
</html>

This page is passed the authorization code, then includes this in a simple form to request the access token.

• The client_id is set to myid.intranet – this must match the entry you added to the appsettings.Production.json file.

• The code_verifier is set to TiGVEDHIRkdTpif4zLw8v6tcdG2VJXvP4r0fuLhsXIj – this is the companion piece to the PKCE code challenge.

• The code is set to the authorization code, which is passed to this page in the code part of the query string.

• The redirect_uri is set to https://react.domain31.local/mysystem/callback.asp – this must also be included in the appsettings.Production.json file.

The result of posting this form is a block of JSON containing the access code:

{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6Ilh2aVV6cGFjUkRFPSIsInR5cCI6ImF0K2p3dCJ9.eyJuYmYiOjE2MzUzNDA0NjcsImV4cCI6MTYzNTM0NDA2NywiaXNzIjoiaHR0cHM6Ly9yZWFjdC5kb21haW4zMS5sb2NhbC93ZWIub2F1dGgyIiwiYXVkIjoibXlpZC5yZXN0IiwiY2xpZW50X2lkIjoibXlpZC5pbnRyYW5ldCIsInN1YiI6ImE3ODk0MWQyLWZiMTMtNDA5YS05NTM1LWNmZGE1OTU0YTBjNCIsImF1dGhfdGltZSI6MTYzNTM0MDQ1MSwiaWRwIjoibG9jYWwiLCJteWlkU2Vzc2lvbklkIjoiLTQ2ODY0ODcxLEVENjk0ODAzLTg0NkItNDM0OC1CRjNDLTFEREY0MjRGOUZBNiIsImp0aSI6IjRERUYzM0FDMEMwNDA2NjRCMzUyNkJDREVDNUU1ODc3Iiwic2lkIjoiOTBEMDhFOUQ4NkRCMURFQjgzQUEwRUQ3OUI0RUVEOTYiLCJpYXQiOjE2MzUzNDA0NjcsInNjb3BlIjpbIm15aWQucmVzdC5iYXNpYyJdLCJhbXIiOlsicHdkIl19.DKnftzQSesrgod3t8U98LfFbCI4OVbmVP6WRFDLrgKQyxV4segym1ADJO3Y1a-mvSVRM2kfUNeBkh3gmeZqyXieGIkC_c9rhWuBB0SOe9K08sBtsswgTHhO_bZcxCM6bFyr16BcYEt-YHy-T-45Z9J8xS1R7bH-5yQ0_9i8dR0_QbGcihlzsN7V7CuFckyeiCcV9TRrXNHEOtc9d7G508sJWsDT-ac3eskN1zxKh05Wa77hxOQDIq3Fe0rKJKd_16pH2wTYekhIvYQ4QP7yseew1Httk3NkBQ8YQw7Rd4f3bTMBnYlKQNB_amJyK4jVZzwIqanad7A3Y31HcjEIXKQ","expires_in":3600,"token_type":"Bearer","scope":"myid.rest.basic"}