ProcessMaker

Authorization Server

OAuth v2

Authorization Code

Authorization Code

See RFC Authorization Code Grant

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.

  1. Register the application 
      GET {$host}/{$workspace}/oauth2/apps
  2. Request Authorization 
      GET {$host}/{$workspace}/oauth2/authorize?response_type=code&client_id={literal}{the-client-id}{/literal}&scope=*
  3. Exchange Authorization code by an Access Token. 
      POST {$host}/{$workspace}/oauth2/token
  Authorization: Basic eC1wbS1sb2NhbC1jbGllbnQ6MTc5YWQ0NWM2Y2UyY2I5N2NmMTAyOWUyMTIwNDZlODE=

  grant_type=code&
  code={literal}{the-authorization-code}{/literal}

{$auth_code_link}

Implicit Grant

Implicit Grant

See RFC Implicit Grant

The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. 

GET {$host}/{$workspace}/oauth2/authorize?response_type=token&client_id={literal}{the-client-id}{/literal}&scope=*

Resource Owner Password Credentials

Resource Owner Password Credentials

See RFC Resource Owner Password Credentials

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.

  POST {$host}/{$workspace}/oauth2/token 
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic eC1wbS1sb2NhbC1jbGllbnQ6MTc5YWQ0NWM2Y2UyY2I5N2NmMTAyOWUyMTIwNDZlODE=

  grant_type=password&
  username=bob&
  password=secret&
  scope=*

Client Credentials

Client Credentials

See RFC Client Credentials

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server. 

  POST {$host}/{$workspace}/oauth/2/token 
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic eC1wbS1sb2NhbC1jbGllbnQ6MTc5YWQ0NWM2Y2UyY2I5N2NmMTAyOWUyMTIwNDZlODE=

  grant_type=client_credentials

Refresh Token

Refresh Token

See RFC Refresh Token

Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token. 

  POST {$host}/{$workspace}/oauth2/token 
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic eC1wbS1sb2NhbC1jbGllbnQ6MTc5YWQ0NWM2Y2UyY2I5N2NmMTAyOWUyMTIwNDZlODE=

  grant_type=refresh_token
  refresh_token={literal}{your-refresh-token}{/literal}