An access token is required before an application can access Cortex. To validate the end user’s credentials, the client application can request a registered user access token. This token enables access to resources that require a registered account and resources that do not require registered accounts.
Requesting an Access Token
Below is an example of the authentication workflow for requesting a REGISTERED access token from the client application’s perspective.
POSTrequest to the OAuth2 Resource and set the content-type to
POST http://www.myapi.net/cortex/oauth2/tokens Content-Type: application/x-www-form-urlencoded
Depending on your deployment configuration, the `cortex` URI path might not be required in the `POST` request.
Revoking an Access Token
Revoke an access token by calling
DELETE on the OAuth2 Resource. Include the access token to revoke in the Authroization request header.
DELETE http://www.myapi.net/oauth2/tokens Authorization: Bearer c7326d79-9273-4820-b45d-587f90d1dc9b
Access Token Validity and Expiration
Access tokens are immediately valid once they are returned to the client application. Tokens are valid for 1 week, after which they expire and are no longer valid for access.
Sample OAuth2.0 Authentication Application
We recommend using a client library to handle OAuth 2.0 authentication instead of handling the implementation yourself. The sample code below is for demonstration purposes only, this is not production ready code. The sample code is written using jQuery.
The example starts with the authentication form that captures the required information from the end-user.
Once the user clicks the 'Log In’ button, the
oAuthSubmit function sends the user’s credentials to the OAuth2 resource. If authentication is successful, a successful JSON response is returned to the client with the token in the body of the response. In this example, the client attaches the string 'Bearer’ to the token when it’s persisted. Bearer is an OAuth 2.0 standard and is required when the token is used to access protected resources.
For more information, see Using an access token above. The client application also authenticates user’s with it’s current scope and as a registered customer