I was able to get an ‘access_token’ by making a POST call to ‘idp/connect/token’. It expires after 1 hour.Is there a way to refresh this token or get a new token before the old token expires, without again having to make the same API call and providing username/password.
Hi,
While it is possible to do this using the resource owner password credentials flow (using username and password), the recommended approach would be to use the authorization code flow. With the authorization code flow it is possible to avoid dealing with credentials in the client completely and work exclusively with access and refresh tokens.
The only limitation is that currently we do not have support for the authorization code flow across sites in a federated architecture, although we expect to overcome this limitation within the next year.
Regardless, in order to get a refresh token at login, there are three requirements.
1. The IDP client used to request the token needs to be configured to allow offline access. When using our built in clients this is true for VmsClient and VmsAdminClient, but not for GrantValidatorClient.
2. The IDP client needs to be configured to support the refresh_token grant type. Again, this is valid for VmsClient and VmsAdminClient.
3. In the token request, you need to request the “offline_access” scope.
Once you have a refresh token, you can then request an access token at the token endpoint by using the refresh_token grant type.
Best Regards,
Simon
Thanks.Can you please specify how exactly to get the refresh token the first time.I understand once we have the refresh token we can get the next refresh and access token using
var postValues = new List<KeyValuePair<string, string>>()
{
new KeyValuePair<string, string>("grant\_type", "refresh\_token"),
new KeyValuePair<string, string>("client\_id", clientId),
new KeyValuePair<string, string>("refresh\_token", refreshToken),
};
But I am not clear how to get the refresh token the first time.
Another follow up question. What is the client_id to be used for integration using rest Api. As per doc shows client_id is GrantValidatorClient.
Hi,
To get a refresh token, you need to simply use a client that is set up to provide one. All of our examples use GrantValidatorClient, which does not. If you simply replace that with VmsClient or VmsAdminClient, you will get a refreshtoken as part of your token response message.
Alternately, you can create your own client in the IdentityProvider, if you wish to separate out the traffic from your application from the remainder of the VMS.
The following powershell example can be modified to create a new Client, but this would need to be run on each server you wish to use, whereas the VmsClient is built-in.
Best Regards,
Simon
Powershell Sample:
# Step 1: Get the access token
$response = Invoke-WebRequest -Uri “http://localhost/idp/connect/token” -Method Post -Body @{
grant_type = “windows_auth”
scope = “write:client”
client_id = “winauthclient”
} -UseDefaultCredentials
$accessTokenContent = $response.Content
$accessToken = ($accessTokenContent | ConvertFrom-Json).access_token
# Step 2: Use the access token to make the PUT request
$clientId = “your_client_id”
$apiUrl = “http://localhost/idp/api/clients/$clientId”
# Step 3: Construct the client data
$clientData = @{
ClientName = “your_client_name”
ClientScopes = @(“management”, “openid”, “offline_access”, “profile”)
ClientGrantTypes = @(“authorization_code”, “refresh_token”)
ClientRedirectUris = @(http://localhost, https://localhost)
}
# Step 4: Make the request with Invoke-RestMethod
$response = Invoke-RestMethod -Method Put -Uri $apiUrl -Headers @{
Authorization = “Bearer $accessToken”
} -Body (ConvertTo-Json $clientData) -ContentType “application/json”
# Step 5: Output the response
$response | Select-Object -ExpandProperty data | Select-Object -Property name, @{Name=“Scopes”;Expression={$_.scopes -join ‘,’}}