Page created: 30 Sep 2020
|
Page updated: 30 Sep 2020
The API first needs to receive the access token from the client as it was provided per the "Use a Token" section of this guide.
A request from a client would look similar to the following:
GET https://api.company.com/user HTTP/1.1
Authorization: Bearer AAA...ZZZ
In order to fulfill the request, the API first extracts the access token from the authorization header, then queries the token endpoint of the PingFederate AS to validate the token:
POST https://localhost:9031/as/token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic cnNfY2xpZW50OjJGZWRlcmF0ZQ==
grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&token=AAA...ZZZ
A successful response to this message will result in a 200 OK HTTP response and a JSON structure in the body of the response similar to the following:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token": { "role":"all_access" },
"token_type":"Bearer",
"expires_in":14400,
"scope":"edit",
"client_id":"ac_client"
}
The resource server can then use this information to make an authorization decision and allow or deny the web request.