Migrating to OAuth2 Tokens
Existing applications that use the Pre-2017 Authorization (Deprecated) framework need to move to support the new OAuth2 Bearer Tokens. Applications will need to migrate their existing users who already have connected to it to obtain new Oauth2 tokens without requiring users to reauthorize. This can be done by exchanging an old access token for a new refresh token.
Base URIs
When making API calls, the appropriate base URI for the user’s geolocation should be used. .
Exchanging a Token
In order to support new OAuth2, applications need to exchange old access token for new accessToken and refreshToken pair. Once obtained, applications should store these refreshTokens as part of users authorization data.
The new OAuth2 accessToken has a one hour lifetime. Once expired, applications would need to call OAuth2’s /v0/token endpoint using a refresh_grant, passing in the user’s refreshtoken to obtain a fresh accessToken.
This is significantly different from how the deprecated /net2/OAuth2’s method of handling access tokens. Partner’s would have to store the new OAuth2 refreshToken instead of the old access token. Before making a call to any of the new v4 APIs, it is advisable to request for a new accessToken before making the API call.
Step 1: Obtain Application Token Clients can exchange OLD tokens for NEW OAuth2 tokens by calling the exchangeRefreshToken/me endpoint. In order to call this endpoint, you would first need to obtain an Application Token by calling the /v0/token endpoint with the client_credentials grant.
The endpoint also supports a parameter called “returnType=companyToken” This parameter allows a partner who already has what is known as a “WSAdmin” token for a client, to exchange that token for a Company level refresh token.
Step 2: Call exchangeRefreshToken
POST /appmgmt/v0/legacyApps/{OLDConsumerKey}/exchangeRefreshToken/me
If you are exchanging a WSAdmin token for a new Company level refresh token:
POST /appmgmt/v0/legacyApps/{OLDConsumerKey}/exchangeRefreshToken/me?returnType=companyToken
Request Header
Authorization
string
Bearer <accessToken>
Required The NEW client_credentials accessToken.
Request Body
token
string
Required The OLD refreshToken
secret
string
Required The NEW application client_secret
Sample Curl:
successful call, responds with
Sample Curl for WSAdmin token exchange for Company level refreh token:
successful call, responds with
Step 3: Obtain New Access Token
Once you have the NEW refreshToken from the response (8c844478-745c-4c45-adf7-1e2777a50dbf) you can then proceed to call /v0/token using the refresh grant to obtain a NEW OAuth2 accessToken.
Sample Curl:
successful call, responds with:
Response Codes
HTTP Status returned by exchangeAccessToken
200
OK - Successful call, response is in body.
400
Bad Request - see list of responses below.
404
Not Found
500
Server Error, error message is in body.
503
Server Timed Out, error message is in body.
exchangeAccessToken Response Codes
OK
OK - Successful call, response is in body.
INVALIDSCOPES
One or more scopes requested are not a subset of the allowed scopes.
INVALIDAPP
Application is invalid
INVALIDTOKEN
Bad or expired token
UNAUTHORIZED
Invalid credentials
HTTP Status returned by OAuth2
200
OK - Successful call, response is in body.
400
Bad Request (error, error_description, code)
401
Unauthorized (error, error_description, code)
403
Forbidden (error, error_description, code)
404
Not Found (error, error_description, code)
500
Server Error, error message is in body.
503
Server Timed Out, error message is in body.
4xx class errors have a JSON response with the following fields
/token
5
invalid_grant
Incorrect credentials. Please Retry
10
invalid_grant
Account is disabled. Please contact support
11
invalid_grant
Account is disabled. Please contact support
12
invalid_grant
Logon Denied. Please contact support
13
invalid_grant
Logon Denied. Please contact support
14
invalid_grant
Account Locked. Please contact support
16
invalid_request
user lives elsewhere
19
invalid_grant
Incorrect credentials. Please Retry
20
invalid_grant
Logon Denied. Please contact support (typically due to IP restriction)
51
invalid_request
username was not supplied
52
invalid_request
password was not supplied
53
invalid_client
company is not enabled for this client
54
invalid_scope
requested scope exceeds granted scope
55
invalid_request
we don’t know this email
56
invalid_request
otp was not supplied
57
invalid_request
channel_type missing
58
invalid_request
channel_handle missing
59
access_denied
client disabled
60
invalid_grant
these are not the grants you are looking for
61
invalid_client
client not found
62
invalid_request
client_id was not supplied
63
invalid_request
client_secret was not supplied
64
invalid_client
Incorrect credentials. Please Retry
65
invalid_request
grant_type was not supplied
80
invalid_request
invalid channel type
81
invalid_request
bad channel handle
83
invalid_request
otp not found
84
invalid_request
fact verification failed
85
invalid_request
otp verification failed
100
invalid_request
backend does not know about this username
101
invalid_request
code was not supplied
102
invalid_request
redirect_uri was not supplied
103
invalid_request
code is bad or expired
104
invalid_grant
redirect_uri does not match the previous grant
105
invalid_grant
this grant was not issued to you!
106
invalid_request
refresh_token was not supplied
107
invalid_request
refresh disallowed for app
108
invalid_grant
bad or expired refresh token
109
invalid_request
loginid was not supplied
115
invalid_request
unauthenticated client will not be issued token!
117
invalid_request
nonce is mandatory for this response_type
118
invalid_request
display is invalid
119
invalid_request
prompt is invalid
119
invalid_request
prompt must be set to consent for offline_access
120
invalid_request
credtype is invalid
121
invalid_request
login_type is invalid
122
invalid_request
proxies supplied are invalid
123
invalid_request
principal is disabled
Last updated