Oauth 2 resource_owner


#1

Hi there

I am trying to connect to a API which has the resource owner as a flow type which i believe is basically oauth 2 password

The requirement of the POST body is as follows

grant_type=password&username={{USERNAME}}password={{PASSWORD}}&scope=read+write&redirect_uri=http://127.0.0.1

It also requires a Authorization: Basic header with a client secret and id encrypted into base 64

this returns a access_token

I’ve read through this page https://help.dropsource.com/docs/tutorials/working-with-apis/authenticate-api-requests-with-oauth2-password/

but i’m still a bit confused. The base url of the identity server is DIFFERENT to that of the main api (it server security for a number of different APIs) so where do i set the URL for the auth request

What’s the best way to go about setting this up? The username and password would be captured from the first page of the app when the user enters it to then be sent with the post request.


#2

Hi there:

  • Your example of what the auth endpoint requires looks like the parameters are sent in the query string rather than the body, does that sound right? If so you’ll need to indicate that in your Swagger spec. From one of the query parameters I’m seeing a redirect uri with a localhost address - not sure if that’s just an example but I’d recommend making sure you understand what that’s doing and verifying that structure works at your backend, using redirects is different in mobile vs the web and in Dropsource you can’t redirect request callbacks to your app.
  • I have never tried using more than one base url but I would guess you may need to do that using two swagger specs and calling your auth endpoint in one, then your other endpoints from the other (once you’ve saved your access token to a variable which you can then send to the requests). From a quick google I’m seeing info about using multiple base urls in Swagger 3.0 but we only support 2.0 right now.
  • The authorization bearer header is automatically added if you specify OAuth2 password flow in your spec. Dropsource provides actions for base64 encoding so you can use those on any values in your app.

I’d recommend authoring your spec(s) and testing them out in Stoplight.io or Postman before attempting to implement this in Dropsource.

Hope that helps!


#3

Hiya thanks for the response

Yep know about localhost thats just a example :slight_smile: The data is sent in the BODY of the request not the query parameters.

two swagger specs does seem to make sense. Didn’t know dropsource supported uploading more than one into a app.


#4

No problem! OK so just to be clear, Dropsource can only send body data in JSON format, the structure in your example looks like the format you’d normally use for a query string, but if that’s just an example of the fields you need you should be fine as long as your backend will accept it as JSON.