Great job! We’ve implemented the Client Credentials OAuth 2.0 flow in our application! The handling of access tokens is done with HTTP requests. We can make an HTTP POST request to the /auth
route to obtain an access token.
POST http://localhost:4001/auth Content-Type: application/x-www-form-urlencoded Authorization: Basic Y29kZWNhZGVteTpjb2RlY0BkZW15 grant_type=client_credentials
In the HTTP header, we set Authorization
to Basic
and the base64 encoded Client ID and Client Secret. In the POST request data, we provide grant_type=client_credentials
. The server will respond with an access token that looks like this:
{ "accessToken":" "<access token>", "accessTokenExpiresAt":"2021-06-17T01:02:37.272Z", "client": { "id": "codecademy"}, "user":{} } }
To use the access token while requesting authenticated content, we pass the bearer token in the Authentication request header, replacing <Access Token>
with the token returned from the request to /auth
like so:
GET http://localhost:4001/secret Authorization: Bearer <Access Token>
Instructions
Start the server by running node app.js
in the terminal.
Open up a new terminal tab.
Then, send the following HTTP request to http://localhost:4001/auth
to obtain an access token using cURL:
curl --request POST \ --url http://localhost:4001/auth \ --header 'authorization: Basic Y29kZWNhZGVteTpjb2RlY0BkZW15' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials
Send the following cURL command to http://localhost:4001/secret
and replacing <ACCESS_TOKEN>
with the token returned in the previous cURL.
curl --request GET \ --url http://localhost:4001/secret \ --header 'authorization: Bearer <ACCESS_TOKEN>'
Try requesting the /secret
route without the access token by running:
curl localhost:4001/secret