In order to get the token, we need to call the authorization server sitting at /connect/token.
The following is a screen captured from Postman where a POST request is performed on the http://localhost:57571/connect/token URL with a body containing all the required parameters in order to authenticate the client. These are the details that we registered inside the GetClients() method in Step 1:
Oops! It's a bad request. That is because we passed the wrong secret password for the client. If you remember, we set it as secretpassword, but passed it as secret. That's why it got rejected.
Some important things to note here. To get the token:
- We need to send a POST request to the /connect/token URL. As we have implemented the server in the same app, the domain is the same here as the API.
- We need to have a Content-Type header set as application/x-www-form-urlencoded (which is actually in a different tab on the screenshot).
- In the body of the request, we added all the required parameters of OAuth according to standards and they match exactly what we had in the configuration class.
When we send everything as required correctly, we will receive a token, as shown in the following screenshot:
We received the bearer token response according to OAuth specifications. They are access_token, expires_in, and token_type. The expires_in param is set to 3,600 by default for the access token, which is in seconds, meaning 1 hour. After 1 hour, this token won't work anymore. Therefore, before this token expires, let's quickly call our API with it and see whether that works.