Example: Credentials REST API for OAuth 2.0 based authentication
This example shows how to use the cloud operations Credentials REST API to manage client credentials for OAuth 2.0 based authentication of client applications.
- Before you begin
- Authorization: The caller of the API must have the Account Administrator role.
- All API calls require a valid cross site forgery request
(CSRF) token in the IBM-CSRF-TOKEN header of the call. Obtain a CSRF
token by using
POST /instance/services/csrf_token
. For more information, see Preventing cross site request forgery.
- Retrieve a list of OAuth 2.0 client credentials
- Use the following call to display a list of client credentials
for the subscription:
A list of client credentials is returned. Each entry includes the client ID, the creator of the credentials, the creation time, and the description. To add paging to the call, use the offset and size parameters:GET /instance/services/credentials/oauth_clients
GET /instance/services/credentials/oauth_clients?offset=11&size=10
- Create a set of OAuth 2.0 client credentials
- Client credentials consist of a client ID and a client secret.
The client ID is generated from a prefix that you specify in the JSON
object in the body of the call. It's a good practice to specify a
description too so that you can easily identify later what the credentials
are used for. For example, if you want to create credentials for a loan application, use the following call:
The returned object includes the generated client ID and client secret. Use these credentials together with service credentials for OAuth-based access control to the cloud environment for your loan application. For more information, see Using OAuth 2.0 based authentication for client applications.POST /instance/services/credentials/oauth_clients ... { "id_prefix": "loanapp" "description": "OAuth credentials for loan application." }
- Delete a set of OAuth 2.0 client credentials
- Use the following call to delete client credentials:
The client ID and the client secret are deleted. If client applications are still using the credentials for OAuth 2.0 based authentication, they won't be able to get new refresh tokens; the HTTPDELETE /instance/services/credentials/{client_id}
BAD_REQUEST (400)
response code will be returned instead. For more information, see the refresh step in Using OAuth 2.0 based authentication for client applications.