bb218dbc56
* Small wording change + fix in example template code * Added note about UserConsent not being in the admin * Mostly spelling corrections and phrasing changes * Moved template context explation from the settings to the templates page * Changed wording * Changed wording
66 lines
2.7 KiB
ReStructuredText
66 lines
2.7 KiB
ReStructuredText
.. _accesstokens:
|
|
|
|
Access Tokens
|
|
#############
|
|
|
|
At the end of the login process, an access token is generated. This access token is the thing that is passed along with every API call to the openid connect server (e.g. userinfo endpoint) as proof that the call was made by a specific person from a specific app.
|
|
|
|
Access tokens generally have a lifetime of only a couple of hours. You can use ``OIDC_TOKEN_EXPIRE`` to set a custom expiration time that suits your needs.
|
|
|
|
Obtaining an Access Token
|
|
=========================
|
|
|
|
Go to the admin site and create a confidential client with ``response_type = code`` and ``redirect_uri = http://example.org/``.
|
|
|
|
Open your browser and accept consent at::
|
|
|
|
http://localhost:8000/authorize?client_id=651462&redirect_uri=http://example.org/&response_type=code&scope=openid email profile&state=123123
|
|
|
|
In the redirected URL you should have a ``code`` parameter included as query string::
|
|
|
|
http://example.org/?code=b9cedb346ee04f15ab1d3ac13da92002&state=123123
|
|
|
|
We use the ``code`` value to obtain ``access_token`` and ``refresh_token``::
|
|
|
|
curl -X POST \
|
|
-H "Cache-Control: no-cache" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
"http://localhost:8000/token/" \
|
|
-d "client_id=651462" \
|
|
-d "client_secret=37b1c4ff826f8d78bd45e25bad75a2c0" \
|
|
-d "code=b9cedb346ee04f15ab1d3ac13da92002" \
|
|
-d "redirect_uri=http://example.org/" \
|
|
-d "grant_type=authorization_code"
|
|
|
|
Example response::
|
|
|
|
{
|
|
"access_token": "82b35f3d810f4cf49dd7a52d4b22a594",
|
|
"token_type": "bearer",
|
|
"expires_in": 3600,
|
|
"refresh_token": "0bac2d80d75d46658b0b31d3778039bb",
|
|
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6..."
|
|
}
|
|
|
|
Then you can grab the access token and ask for user data by doing a GET request to the ``/userinfo`` endpoint::
|
|
|
|
curl -X GET \
|
|
-H "Cache-Control: no-cache" \
|
|
"http://localhost:8000/userinfo/?access_token=82b35f3d810f4cf49dd7a52d4b22a594"
|
|
|
|
Expiration and Refresh of Access Tokens
|
|
=======================================
|
|
|
|
If you receive a ``401 Unauthorized`` status when using the access token, this probably means that your access token has expired.
|
|
|
|
The RP application can request a new access token by using the refresh token. Send a POST request to the ``/token`` endpoint with the following request parameters::
|
|
|
|
curl -X POST \
|
|
-H "Cache-Control: no-cache" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
"http://localhost:8000/token/" \
|
|
-d "client_id=651462" \
|
|
-d "client_secret=37b1c4ff826f8d78bd45e25bad75a2c0" \
|
|
-d "grant_type=refresh_token" \
|
|
-d "refresh_token=0bac2d80d75d46658b0b31d3778039bb"
|