Client Credential Flow (2-legged OAuth)
Application Authorization or Client Credential Flow (2-legged authorization): Passport grants permissions to your application to access protected Passport resources. If you are accessing APIs that are not member specific, use this flow. Not all APIs support Application Authorization.
This type of authorization requests just the identity.basic scope.
Client Credentials Flow
Configure your application in the Developer Portal to obtain Client ID and Client Secret.
Generate an Access Token.
Use this Access Token to make API calls on behalf of the application.
Prerequisites
Have a Passport Developer application to create a new application or select your existing application
Each application is assigned a unique Client ID (Consumer key/API key) and Client Secret. Please make a note of these values as they will be integrated into your application config files. Your Client Secret protects your application's security so be sure to keep it secure!
Getting the Access Token
The next step is to get an access token for your application using your Client ID and Client Secret from the previous step.
POST 'https://auth.onepassport.eu/token'grant_type
string
The value of this field should always be: client_credentials
Yes
client_id
string
The Client ID value generated in Step 1.
Yes
client_secret
string
The Secret Key value generated in Step 1.
Yes
Sample Request
curl --request POST \
--url 'https://auth.onepassport.eu/token?grant_type=client_credentials&client_id=s7h9BHLeuZ7dfEfLHSQtQmsfsQ6Rqw6P&client_secret=HAjhDx2swgNfHgNcZCDqAEg9oyPxWoB2EoAcwdgBg42w5cuppL4xiya4aTuPCvsR6qmLzm7TDMhKDQHyCzSuyTLM2DmoSE8oFgYAGKXCH5HPzpLpM8MvrwQ7LvnwCxHn'Access Token Response
A successful access token request returns a JSON object containing the following fields:
token_type
string
The type is always bearer token
access_token
string
The access token for the application. This value must be kept secure as specified in the API Terms of Use. The length of access tokens is ~500 characters. We recommend that you plan for your application to handle tokens with length of at least 1000 characters to accommodate any future expansion plans. This applies to both access tokens and refresh tokens.
expires_in
int
The number of seconds remaining until the token expires. Currently, all access tokens are issued with a 60-day lifespan.
scope
list
The scope with this type of authentication will be always identity.basic
{
"token_type":"bearer",
"access_token":"3a047685dd4bd0f23864743ac6b555dbf97c3c2b",
"expires_in":2592000,
"scope":["identity.basic"]
}Access Token Scopes and Lifetime
Access tokens stay valid until the number of seconds indicated in the expires_in field in the API response. You can go through the OAuth flow on multiple clients (browsers or devices) and simultaneously hold multiple valid access tokens if the same scope is requested. If you request a different scope than the previously granted scope, all the previous access tokens are invalidated.
Make Authenticated Requests
Once you've obtained an access token, you can start making authenticated API requests on behalf of the member by including an Authorization header in the HTTP call to Passport's API.
Sample request
curl -X GET 'https://auth.onepassport.eu/whoami' \
-H 'Authorization: Bearer {INSERT_TOKEN}'Error Handling
401 Unauthorized
If you make an API call using an invalid token, you'll receive a 401 Unauthorized response from the server. In this case, the token may need to be regenerated because it expired or was revoked.
These are not the only reasons for an invalid token. Make sure your applications are coded to properly handle a 401 error.
Last updated