These sample scripts illustrate the interaction necessary to obtain and use OAuth 2.0 access tokens. They utilize the HTTP client library Requests. Requests must be installed before these samples will run.
Authorization Code Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the authorization code.
__author__ = 'bdm4' import requests, json import subprocess import sys authorize_url = "https://api.byu.edu/authorize" token_url = "https://api.byu.edu/token" #callback url specified when the application was defined callback_uri = "<<your redirect_uri goes here>>" test_api_url = "<<the URL of the API you want to call, along with any parameters, goes here>>" #client (application) credentials - located at apim.byu.edu client_id = '<<your client_id goes here>>' client_secret = '<<your client_secret goes here>>' #step A - simulate a request from a browser on the authorize_url - will return an authorization code after the user is # prompted for credentials. authorization_redirect_url = authorize_url + '?response_type=code&client_id=' + client_id + '&redirect_uri=' + callback_uri + '&scope=openid' print "go to the following url on the browser and enter the code from the returned url: " print "--- " + authorization_redirect_url + " ---" authorization_code = raw_input('code: ') # step I, J - turn the authorization code into a access token, etc data = {'grant_type': 'authorization_code', 'code': authorization_code, 'redirect_uri': callback_uri} print "requesting access token" access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret)) print "response" print access_token_response.headers print 'body: ' + access_token_response.text # we can now use the access_token as much as we want to access protected resources. tokens = json.loads(access_token_response.text) access_token = tokens['access_token'] print "access token: " + access_token api_call_headers = {'Authorization': 'Bearer ' + access_token} api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False) print api_call_response.text
Implicit Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the access_token.
__author__ = 'bdm4' import requests, json, subprocess authorize_url = "https://api.byu.edu/authorize" token_url = "https://api.byu.edu/token" #callback URL specified when the application was defined callback_uri = "<<your request_uri goes here>>" test_api_url = "<<the url of the api you want to call goes here>>" #client (application) credentials on apim.byu.edu client_id = '<<your client_id goes here>>' client_secret = '<<your client_secret goes here>>' #step A - single call with client id and call back url on the url # will return access_token authorization_redirect_url = authorize_url + '?response_type=token&client_id=' + client_id + '&redirect_uri=' + callback_uri + '&scope=openid' print "go to the following url on the browser and enter the code from the returned url: " print "--- " + authorization_redirect_url + " ---" access_token = raw_input('access_token: ') #step H - we can now use the returned access_token to api_call_headers = {'Authorization': 'Bearer ' + access_token} api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False) print api_call_response.text
Resource Owner Password Credentials Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the authorization code.
__author__ = 'bdm4' import requests,json, getpass token_url = "https://api.byu.edu/token" test_api_url = "<<url of the api you want to call goes here>>" # Step A - resource owner supplies credentials #Resource owner (enduser) credentials RO_user = raw_input('Enduser netid: ') RO_password = getpass.getpass('Enduser password: ') #client (application) credentials on apim.byu.edu client_id = '<<client_id goes here>>' client_secret = '<<client_secret goes here>>' #step B, C - single call with resource owner credentials in the body and client credentials as the basic auth header # will return access_token data = {'grant_type': 'password','username': RO_user, 'password': RO_password} access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret)) print access_token_response.headers print access_token_response.text tokens = json.loads(access_token_response.text) print "access token: " + tokens['access_token'] # Step C - now we can use the access_token to make as many calls as we want. api_call_headers = {'Authorization': 'Bearer ' + tokens['access_token']} print api_call_headers api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False) print api_call_response.text
Client Credentials Grant Type
This sample assumes the redirect_uri registered with the client application is invalid. If the redirect_uri is invalid, the browser will stop the redirect and show the authorization code.
__author__ = 'bdm4' import requests, json token_url = "https://api.byu.edu/token" test_api_url = "<<URL of the API you want to call goes here>>" #client (application) credentials on apim.byu.edu client_id = '<<client_id goes here>>' client_secret = '<<client_secret goes here>>' #step A, B - single call with client credentials as the basic auth header - will return access_token data = {'grant_type': 'client_credentials'} access_token_response = requests.post(token_url, data=data, verify=False, allow_redirects=False, auth=(client_id, client_secret)) print access_token_response.headers print access_token_response.text tokens = json.loads(access_token_response.text) print "access token: " + tokens['access_token'] #step B - with the returned access_token we can make as many calls as we want api_call_headers = {'Authorization': 'Bearer ' + tokens['access_token']} api_call_response = requests.get(test_api_url, headers=api_call_headers, verify=False) print api_call_response.text