IBM Cloud Docs
Obtaining tokens

Obtaining tokens

When users or backend services interact with your app, they might need to be authorized to perform specific actions. App ID verifies that the entity that makes the request is authorized and returns access and identity tokens to your app. If the entity making the request is an end user, the tokens might contain information about the user such as the scope of their permissions and their name. If it is a backend service, then only an access token is returned.

Getting your client ID and secret with the GUI

To obtain tokens, you must have your client ID and secret. The credentials are specific to every application and are used to help identify and validate the users that a token might be assigned to.

  1. Navigate to the Applications tab of the App ID dashboard.

  2. If you already have a set of credentials listed, you can skip to step 3. If you do not, create one.

    1. On the Applications tab, click Add application.
    2. Give your application a name and click Save to return to a list of your registered apps. The name of your application cannot exceed 50 characters.
  3. From the list of registered apps, select the application that you want to work with. The row expands to show your credentials.

  4. Copy your client ID and secret.

Getting your client ID and secret with the API

To obtain tokens, you must have your client ID and secret. The credentials are specific to every application and are used to help identify and validate the users that a token might be assigned to.

  1. Make a POST request to the /management/v4/<tenantID>/applications endpoint.

    Request:

    curl -X POST https://us-south.appid.cloud.ibm.com/management/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/applications/ \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <IAMToken>' \
    -d '{"name": "ApplicationName"}'
    

    Example response:

    {
       "clientId": "c90830bf-11b0-4b65-bffe-9773f8703bad",
       "tenantId": "b42f7429-fc24-48ds-b4f9-616bcc31cfd5",
       "secret": "YWQyNjdkZjMtMGRhZC00ZWRkLThiOTQtN2E3ODEyZjhkOWQz",
       "name": "testing",
       "oAuthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/b42f7429-fc24-48ds-b4f9-616bcb31cfd5",
       "profilesUrl": "https://us-south.appid.cloud.ibm.com",
       "discoveryEndpoint": "https://us-south.appid.cloud.ibm.com/oauth/v4/b42f7429-fc24-48ds-b4f9-616bcb31cfd5/.well-known/openid-configuration"
    }
    
  2. Copy the client ID and secret.

Obtaining access and identity tokens with the GUI

With a client ID and secret, you can obtain access and identity tokens by using the API or an SDK. The following examples show how to obtain a token by using the Resource Owner Password (ROP) flow.

This action can be done through the API only. To see the steps, switch to the API instructions.

Obtaining access and identity tokens with the API

With a client ID and secret, you can obtain access and identity tokens by using the API or an SDK. The following examples show how to obtain a token by using the Resource Owner Password (ROP) flow.

  1. Obtain your tenant ID, client ID, secret, and OAuth Server URL from your credentials.

  2. Encode your client ID and secret by using a base64 encoder.

  3. Use the following code examples to retrieve your tokens. The grant type that you use to obtain your token can differ depending on the type of authorization that you're working with. For a detailed list of options, check out the swagger documentation.

    curl -X POST 'https://<region>.appid.cloud.ibm.com/oauth/v4/<tenantID>/token' \
    -H 'Authorization: Basic base64Encoded{<clientID>:<clientSecret>}' \
    -H 'Accept: application/json' \
    -F 'grant_type=password' \
    -F 'username=testuser@test.com' \
    -F 'password=testuser'
    
    // iOS Swift example
    
    class delegate : TokenResponseDelegate {
       public func onAuthorizationSuccess(accessToken: AccessToken?, identityToken: IdentityToken?, refreshToken: RefreshToken?, response:Response?) {
       //User authenticated
       }
    
       public func onAuthorizationFailure(error: AuthorizationError) {
       //Exception occurred
       }
    }
    
    AppID.sharedInstance.signinWithResourceOwnerPassword(username: username, password: password, delegate: delegate())
    
    AppID.getInstance().signinWithResourceOwnerPassword(getApplicationContext(), username, password, new TokenResponseListener() {
       @Override
       public void onAuthorizationFailure (AuthorizationException exception) {
          //Exception occurred
       }
    
       @Override
       public void onAuthorizationSuccess (AccessToken accessToken, IdentityToken identityToken, RefreshToken refreshToken) {
          //User authenticated
       }
    });
    
    // Declare the API you want to protect
    app.get("/api/protected",
    
       passport.authenticate(APIStrategy.STRATEGY_NAME, {
       session: false
       }),
       function(req, res) {
       // Get full appIdAuthorizationContext from request object
       var appIdAuthContext = req.appIdAuthorizationContext;
    
       appIdAuthContext.accessToken; // Raw access_token
       appIdAuthContext.accessTokenPayload; // Decoded access_token JSON
       appIdAuthContext.identityToken; // Raw identity_token
       appIdAuthContext.identityTokenPayload; // Decoded identity_token JSON
       appIdAuthContext.refreshToken; // Raw refresh_token
       ...
       }
    );
    
    // Server-side swift example
    
    let options = [
       "clientId": "<clientID>",
       "secret": "<secret>",
       "tenantId": "<tenantID>",
       "oauthServerUrl": "<oauthServerURL>",
       "redirectUri": "<appURL>" + CALLBACK_URL
    ]
    let webappKituraCredentialsPlugin = WebAppKituraCredentialsPlugin(options: options)
    let kituraCredentials = Credentials()
    kituraCredentials.register(plugin: webappKituraCredentialsPlugin)