These sample scripts illustrate the interaction necessary to obtain and use OAuth 2.0 access tokens. They utilize the HTTP client library Requests. Requests must be installed before these samples will run.
Authorization Code Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the authorization code.
__author__ = 'bdm4'
import requests, json
import subprocess
import sys
authorize_url = "https://api.byu.edu/authorize"
token_url = "https://api.byu.edu/token"
#callback url specified when the application was defined
callback_uri = "<<your redirect_uri goes here>>"
test_api_url = "<<the URL of the API you want to call, along with any parameters, goes here>>"
#client (application) credentials - located at apim.byu.edu
client_id = '<<your client_id goes here>>'
client_secret = '<<your client_secret goes here>>'
#step A - simulate a request from a browser on the authorize_url - will return an authorization code after the user is
# prompted for credentials.
authorization_redirect_url = authorize_url + '?response_type=code&client_id=' + client_id + '&redirect_uri=' + callback_uri + '&scope=openid'
print "go to the following url on the browser and enter the code from the returned url: "
print "--- " + authorization_redirect_url + " ---"
authorization_code = raw_input('code: ')
# step I, J - turn the authorization code into a access token, etc
data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': callback_uri}
print "requesting access token"
access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret))
print "response"
print access_token_response.headers
print 'body: ' + access_token_response.text
# we can now use the access_token as much as we want to access protected resources.
tokens = json.loads(access_token_response.text)
access_token = tokens['access_token']
print "access token: " + access_token
api_call_headers = {'Authorization': 'Bearer ' + access_token}
api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False)
print api_call_response.text
Implicit Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the access_token.
__author__ = 'bdm4'
import requests, json, subprocess
authorize_url = "https://api.byu.edu/authorize"
token_url = "https://api.byu.edu/token"
#callback URL specified when the application was defined
callback_uri = "<<your request_uri goes here>>"
test_api_url = "<<the url of the api you want to call goes here>>"
#client (application) credentials on apim.byu.edu
client_id = '<<your client_id goes here>>'
client_secret = '<<your client_secret goes here>>'
#step A - single call with client id and call back url on the url
# will return access_token
authorization_redirect_url = authorize_url + '?response_type=token&client_id=' + client_id + '&redirect_uri=' + callback_uri + '&scope=openid'
print "go to the following url on the browser and enter the code from the returned url: "
print "--- " + authorization_redirect_url + " ---"
access_token = raw_input('access_token: ')
#step H - we can now use the returned access_token to
api_call_headers = {'Authorization': 'Bearer ' + access_token}
api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False)
print api_call_response.text
Resource Owner Password Credentials Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the authorization code.
__author__ = 'bdm4'
import requests,json, getpass
token_url = "https://api.byu.edu/token"
test_api_url = "<<url of the api you want to call goes here>>"
# Step A - resource owner supplies credentials
#Resource owner (enduser) credentials
RO_user = raw_input('Enduser netid: ')
RO_password = getpass.getpass('Enduser password: ')
#client (application) credentials on apim.byu.edu
client_id = '<<client_id goes here>>'
client_secret = '<<client_secret goes here>>'
#step B, C - single call with resource owner credentials in the body and client credentials as the basic auth header
# will return access_token
data = {'grant_type': 'password','username': RO_user, 'password': RO_password}
access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret))
print access_token_response.headers
print access_token_response.text
tokens = json.loads(access_token_response.text)
print "access token: " + tokens['access_token']
# Step C - now we can use the access_token to make as many calls as we want.
api_call_headers = {'Authorization': 'Bearer ' + tokens['access_token']}
print api_call_headers
api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False)
print api_call_response.text
Client Credentials Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the authorization code.
__author__ = 'bdm4'
import requests, json
token_url = "https://api.byu.edu/token"
test_api_url = "<<URL of the API you want to call goes here>>"
#client (application) credentials on apim.byu.edu
client_id = '<<client_id goes here>>'
client_secret = '<<client_secret goes here>>'
#step A, B - single call with client credentials as the basic auth header - will return access_token
data = {'grant_type': 'client_credentials'}
access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret))
print access_token_response.headers
print access_token_response.text
tokens = json.loads(access_token_response.text)
print "access token: " + tokens['access_token']
#step B - with the returned access_token we can make as many calls as we want
api_call_headers = {'Authorization': 'Bearer ' + tokens['access_token']}
api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False)
print api_call_response.text
