0

I have a back-end processor, (imagine a chron job once a day generating reports), that needs to integrate with a third-party system. Their APIs only support the "Authorization code" grant type. The problem is I can't even fill out a request for a token as I don't have a redirect_uri (no website), and I definitely don't have a user of any kind. I'll just have the OAuth clientId and secret I provisioned via their developer portal, (Mashery), for my back-end report processor app.

I want to use the "Client credentials" grant type/flow since I'm just a back-end service.

Is there any way to fake this or hack it so my little back-end service can somehow work with authorization code flow?

Thanks in advance

Joshua Gunder
  • 235
  • 2
  • 9

1 Answers1

1

No, there is no way to hack it. Client credentials only authenticate the client. A token issued for client credentials have no information about the user. If their API needs information about the user (you probably get information only about your user), then you need to have a token issued with Code Flow.

What you can do is to generate the OAuth token yourself. E.g. you can use oauth.tools to perform a Code Flow with their Authorization Server, or you can perform the flow from browser with a dummy redirect URI (e.g. http://localhost), the get the code returned from authorization request and perform a token request from curl.

Once you have an access and refresh token you can hard code them in your script (or read them from an env variable or file, etc). You can then call the API as long as the access token is valid, and use refresh token to get a new access token when it expires. You will not have to perform a new Code Flow for as long as the refresh token is valid.

Michal Trojanowski
  • 10,641
  • 2
  • 22
  • 41
  • Thank you for the answer. The developer of the APIs mentioned something similar. He said "just get a token yourself and then hard code it into the app", but I've tried calling their authorize endpoint with a dummy redirect_uri and it just causes their API to return an HTTP 302. I can't seem to get the request-it-yourself-with-a-dummy-uri technique to work. – Joshua Gunder May 20 '21 at 16:41
  • Try oauth.tools - they will take care of the flow (there are instructions there what URI you have to configure as the redirect URI). Otherwise you would have to call the authorization endpoint from a browser, then it will take care of all the redirects, and eventually you will get the authorization code which you have to copy and paste into a curl request to the token endpoint. – Michal Trojanowski May 21 '21 at 06:53