Example: Use “Password Grant Authentication” for Applications to Authenticate
Learn how to authenticate applications using password authentication.
Overview
Some client applications use Password Grant authentication, despite that this authentication type is deprecated in OAuth 2.1 specification. Use the following example to allow password authentication.
This example requires the following procedures and possibly two different roles to perform them in this order:
ProcessMaker Platform administrator: Configure password authentication for the client application.
After the ProcessMaker Platform administrator has granted the application permission to authenticate using a password, the application developer may then prepare for the first API call to the ProcessMaker Platform instance. The first call obtains a bearer token to be used for future API requests.
Follow these steps to prepare the first API call:
Prepare the body of your first request in JSON format. Replace the values in brackets below with the actual values from your environment.
Send the prepared JSON body as a POST request to the endpoint /oauth/token in your ProcessMaker Platform instance. Below is an example using the test environment from the image above. Most notable is the client_id value, which is the row designated in the Client ID column of the Auth Clients page, and its client secret value.
Send the first request. Your ProcessMaker Platform instance responds in JSON format. This is the bearer token from which future API calls may be used. Below is an example of the bearer token.
Use the Refresh Token to Request a New Bearer Token
Note that the response containing your bearer token also contains a time of expiration and a refresh token. The expiration time is the number of seconds until the bearer token expires. After that time, request a new bearer token using the refresh token. Below is an example API call that obtains a new bearer token using the refresh token.