OAuth2 cheat sheet

OAuth2.md

Password

In the Mura admin create a webservice and set it to OAuth2 Password and then use it's client_id and client_secret with this

You can choose to keep the client_secret an actual secret or not. It just depends on if you care if it's wide open or not.

http://localhost:8080/index.cfm/_api/rest/v1/{siteid}/oauth2?client_id={client_id}&client_secret={client_secret}&grant_type=password&username={username}&password={password}

Client Credentials

http://localhost:8080/index.cfm/_api/rest/v1/{siteid}/oauth2?client_id={client_id}&client_secret={client_secret}&grant_type=client_credentials

Implicit

This flow does not expose any sensitive data because JS in the client can't hide secrets

1. Redirect to login

{web_login}?response_type=token&client_id={client_id}&redirect_uri={redirect_uri}&state={state}

User logs in and is redirected to {redirect_uri}?token_type=bearer&expires_in={expires_in}&access_token={access_token}&state={state}

Authorization Code

1. Redirect to login

{web_login}?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}

2. User logs in and is redirected to {redirect_uri}?code={code}&state={state}

3. Get access_token with code

http://localhost:8080/index.cfm/_api/rest/v1/{siteid}/oauth2/?grant_type=authorization_code&client_id={client_id}&client_secret={client_secret}&redirect_uri={redirect_uri}&code={code}

Refresh Token

http://localhost:8080/index.cfm/_api/rest/v1/{siteid}/oauth2?client_id={client_id}&client_secret={client_secret}&grant_type=refresh_token&refresh_token={refresh_token}

Token Info

http://localhost:8080/index.cfm/_api/rest/v1/{siteid}/oauth2/tokeninfo?client_id={client_id}&access_token={access_token}