OAuth 2.0 is an authorization protocol that enables applications to acquire limited access for an HTTP resource. This allows a resource owner (user) to share protected content from a resource server without sharing credentials, through various use cases known as Grant Types. Out of the six grant types described in the OAuth 2.0 protocol, Martini supports resource access using password and refresh token grant types.
Acquiring access tokens
To gain access to a protected resource, a client needs to validate its identity by acquiring an access token. Access tokens are short-lived tokens - they're valid for at most one hour, after which a re-authentication or a refresh is required.
For password-based authorization flow, client applications initially makes an access token request using a valid username and password. Assuming you have a user configured, you can initiate1 a request to the token endpoint:
1 2 3 4 5
1 2 3 4 5 6 7 8 9
To minimize the required username and password request from the client, Martini supports refresh tokens. Refresh tokens live longer than access tokens - at most 12 hours. Like the password grant type, you can initialize a request to the token endpoint to acquire a new access token:
1 2 3 4 5
Despite the denotational meaning of refresh, the server actually issues a new access token every time a refresh request is made.
Using either grant type, We can then use the
access_token from this response to access otherwise protected
resource from the server, by attaching it as
Authorization header, prefixed with
1 2 3 4