OAuth-API-Dokumentation

Autorisierungscode gewähren

• Autorisierungsanfrage

• The application first needs to decide which permissions it is requesting, then send the user to a browser to get their permission. To initiate this authorization flow, form a URL as below and redirect the end user's browser to the URL:

            BESTELLE http://<wp_base_url>/wp-json/moserver/authorize
            ?response_type=code
            &client_id= <client_id_goes_here>
            &redirect_uri= <callback_url>
            &scope= <permissions_requesting>
            &state= <security_token>
          

• Antworttyp=Code: The type of response you are expecting. To recieve authorization code it must have value Code. This tells authorization server that application is initiating authorization flow.
• Kunden ID : Die vom OAuth-Anbieter bereitgestellte Client-ID.
• Redirect_uri: Rückruf-URL, zu der der Benutzer weitergeleitet wird, sobald er den Zugriff auf Ihre App zulässt oder verbietet.
• Umfang : Eine oder mehrere durch Leerzeichen getrennte Zeichenfolgen, die die von Ihrer Anwendung angeforderte Berechtigung angeben.
• Zustand : The application generates a random string and includes it in the request. It should then check that the same value is returned after the user authorizes the app.
• If the user allows access to your app, thier browser will be redirected to the supplied redirect url and request will include Code und Zustand Parameter in der Abfragezeichenfolge.
• Beispielsweise kann der Benutzer zu einer URL wie z. B. zurückgeleitet werden

              https://example-app.com/redirect
              ?code=<authorization-code>
              &state=<security_token>
          

• Das Code is Authorization code which can be exchanged for Access token. It is generated by the authorization server and is relatively short lived.
• Das Zustand is the same security token that the application initially set in the request.

• Token-Anfrage

• If the end user granted your app access and you receive an Authorization Code, you can exchange the Authorization Code for an Access Token by making a POST request to the token endpoint.
• Das Folgende ist ein Beispiel für eine POST-Anfrage:

              jetzt lesen http://<wp_base_url>/wp-json/moserver/token
              Content-Type: application/x-www-form-urlencoded
         
              grant_type=authorization_code&
              code=<authorization_code>&
              client_id=<client_id>&
              client_secret=<clientSecret>&
              redirect_uri=<redirect_uri>
              
              

• Hier finden Sie die Beschreibung für jeden Anforderungsparameter.
• grant_type=authorization_code: The type of grant you are providing. This tells that the application is using authorization code grant type.
• Code: The authorization code recieved in previous step, included here.
• Redirect_uri: The same uri that was provided earlier in the authorization request.
• Kunden ID : The client ID provided by the OAuth provider.
• client_secret: The client secret provided by the OAuth provider.
• At the token endpoint all the parameters in the request will be verified ensuring that the code hasn't expired and the client id and secret matches. If the Request is successful, it will generate an access token and return it in the response:

              HTTP/1.1 200 OK
              Content-Type: application/json
              Cache-Control: no-store
              {
                "access_token":"hkjher92u9eu2u3uihi2eh9293",
                "token_type":"bearer",
                "expires_in":3600,
                "scope":"profile",
                "id_token":""
              }
              

• Hier ist die Beschreibung für jeden Parameter, der in der Antwort empfangen wird.
• Zugangstoken : Zugriffstoken für den Userinfo-Endpunkt.
• token_type: OAuth 2.0 token type value. The value must be Träger.
• Läuft ab in : Die Ablaufzeit für das Zugriffstoken.
• Umfang: One or more space seperated strings which indicates the permission your application requesting.
• id_token: The ID Token is a security token that contains Claims about the authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims
• Wenn die Anfrage fehlschlägt, hat die Antwort den Status 404 Bad Request und wird folgenden Inhalt haben:

              "error" : "invalid_request",
              "error_description" : "A more detailed description of the error intended for the developer of your app."
          

• Ressourcenanforderung

• Wenn die Token-Anfrage erfolgreich ist, erhalten Sie Zugangstoken in the response which can be used to access the protected resources via the API.
• Benutzerinfo-Anfrage: The following is a non-formative example of Userinfo Request:

                   BESTELLE http://<wp_base_url>/wp-json/moserver/resource
                   Host: server.example.com
                   Authorization: Bearer <access_token>
                

• The resource server validate and verify the access token and checks if it has not expired. If the resource request is valid the resource server returns the claims which are represented by a JSON object that contains a collection of name and value pairs for the Claims.
• Erfolgreiche Userinfo-Antwort:
• The UserInfo Claims MUST be returned as the members of a JSON object.
  
  Unten ist das Beispiel:

                {
                  "id": "1",
                  "username": "abc",
                  "first_name": "xyz",
                  "last_name": "example",
                  "picture": "https://example.com/-kwtzesU/photo.jpg",
                  "email": "abc@example.com",
                  "locale": "en",...
                }
          

Implizite Codegewährung

• Autorisierungsanfrage

• The application first needs to decide which permissions it is requesting, then send the user to a browser to get their permission. To initiate this implicit flow, form a URL as below and redirect the end user's browser to the URL:

              Erhalten Sie  http://<wp_base_url>/wp-json/moserver/authorize 
              ?response_type=token
              &client_id= <client_id_goes_here>
              &redirect_uri= <callback_url>
              &scope= <permissions_requesting>
              &state= <security_token>
          

• Antworttyp=Token: The type of response you are expecting. This tells authorization server that application is initiating implicit flow. Note the difference from the Authorization Code flow where this value is set to code.
• Kunden ID : Die vom OAuth-Anbieter bereitgestellte Client-ID.
• Redirect_uri: Rückruf-URL, zu der der Benutzer weitergeleitet wird, sobald er den Zugriff auf Ihre App zulässt oder verbietet.
• Umfang : Eine oder mehrere durch Leerzeichen getrennte Zeichenfolgen, die die von Ihrer Anwendung angeforderte Berechtigung angeben.
• Zustand : The application generates a random string and includes it in the request. It should then check that the same value is returned after the user authorizes the app.
• If the user allows access to your app, thier browser will be redirected to the supplied redirect url and request will include Zeichen und Zustand Parameter in der Abfragezeichenfolge.
• Beispielsweise kann der Benutzer zu einer Rückruf-URL wie z. B. zurückgeleitet werden

        https://callback-url?
        #access_token=<access_token>
        &token_type=Bearer
        &expires_in=3600
        &scope=<permissions_requesting>
        

• Note the two major differences between this and the Authorization Code flow: the access token is returned instead of the authorization code in the response.
• Der Client kann dann die verwenden Zugangstoken to access protected resources from Resource server.
  Here, is the description for each parameter received in the response.
• Zugangstoken : Zugriffstoken für den Userinfo-Endpunkt.
• token_type: OAuth 2.0 token type value. The value must be Träger.
• Läuft ab in : Die Ablaufzeit für das Zugriffstoken.
• Umfang: One or more space seperated strings which indicates the permission your application requesting.

• Ressourcenanforderung

• The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. The returned Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
• Benutzerinfo-Anfrage: The following is a non-formative example of Userinfo Request:

             BESTELLE http://<wp_base_url>/wp-json/moserver/resource
             Host: server.example.com
             Authorization: Bearer <access_token>
          

• Erfolgreiche Userinfo-Antwort:
• The UserInfo Claims MUST be returned as the members of a JSON object.
  
  Unten ist das Beispiel:

          {
            "id": "1",
            "username": "abc",
            "first_name": "xyz",
            "last_name": "example",
            "picture": "https://example.com/-kwtzesU/photo.jpg",
            "email": "abc@example.com",
            "locale": "en",...
          }
          

Passwortgewährung

• The resource owner password (or "password") grant type is mostly used in cases where the app is highly trusted. In this configuration, the user provides their resource server credentials (username/password) to the client app, which sends them in an access token request.

• Token-Anfrage

• The Password grant is one of the simplest OAuth grants and involves only one step: the application presents a traditional username and password login form to collect the user’s credentials and makes a POST request to the server to exchange the password for an access token. The POST request that the application makes looks like the example below.

          jetzt lesen http://<wp_base_url>/wp-json/moserver/token
          Host: authorization-server.com
          Content-type: application/x-www-form-urlencoded
  
          grant_type=password
          &username=exampleuser
          &password=12345678
          &client_id=xxxxxxxxxx
          &client_secret=xxxxxxxxxx
          

• Die POST-Parameter in dieser Anfrage werden unten erläutert.
• grant_type=Passwort: This tells the server we’re using the Password grant type
• Benutzername = The user’s username that they entered in the application
• Passwort = The user’s password that they entered in the application
• client_id= The public identifier of the application that the developer obtained during registration
• client_secret= Das vom OAuth-Anbieter bereitgestellte Client-Geheimnis.
• At the token endpoint all the parameters in the request will be verified ensuring that the code hasn't expired and the client id and secret matches. If the Request is successful, it will generate an access token and return it in the response:

            HTTP/1.1 200 OK
              Content-Type: application/json
              Cache-Control: no-store
              {
                "access_token":"hkjher92u9eu2u3uihi2eh9293",
                "token_type":"bearer",
                "expires_in":3600,
                "scope":"profile",
                "id_token":""
              }
              

• Der Client kann dann die verwenden Zugangstoken to access protected resources from Resource server.
  Here, is the description for each parameter received in the response.
• Zugangstoken : Zugriffstoken für den Userinfo-Endpunkt.
• token_type: OAuth 2.0 token type value. The value must be Träger.
• Läuft ab in : Die Ablaufzeit für das Zugriffstoken.
• Umfang: One or more space seperated strings which indicates the permission your application requesting.

• Ressourcenanforderung

• The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. The returned Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
• Benutzerinfo-Anfrage: The following is a non-formative example of Userinfo Request:

             BESTELLE http://<wp_base_url>/wp-json/moserver/resource
             Host: server.example.com
             Authorization: Bearer <access_token>
          

• Erfolgreiche Userinfo-Antwort:
• The UserInfo Claims MUST be returned as the members of a JSON object.
  
  Unten ist das Beispiel:

          {
            "id": "1",
            "username": "abc",
            "first_name": "xyz",
            "last_name": "example",
            "picture": "https://example.com/-kwtzesU/photo.jpg",
            "email": "abc@example.com",
            "locale": "en",...
          }
          

Gewährung von Client-Anmeldeinformationen

• Client Credentials grant can be used for machine to machine authentication. In this grant a specific user is not authorized but rather the credentials are verified and a generic access_token is returned..

• Token-Anfrage

• To receive an access token, the client POSTs an API call with the values for client ID and client secret obtained from a registered developer app as follow.

          jetzt lesen http://<wp_base_url>/wp-json/moserver/token
              Content-Type: application/x-www-form-urlencoded
         
              grant_type=client_credentials&
              client_id=<client_id>&
              client_secret=<clientSecret>&
              redirect_uri=<redirect_uri>&
              scope=<permisssions_requested>
          



• Anfrageparameter:
• Die POST-Anfrageparameter werden unten erläutert.
• grant_type=client_credentials: This tells the server we’re using the client credentials grant type.
• client_id= Die öffentliche Kennung der Anwendung, die der Entwickler bei der Registrierung erhalten hat.
• client_secret: The client secret provided by the OAuth provider.
• Redirect_uri: Callback Url to which user will be redirected once they allow or disallow the access to your app.
• Umfang : One or more space seperated strings which indicates the permission your application requesting.
• If the credentials are valid, the application will receive back a signed JSON Web Token or access token, the token's type (which is Bearer), and in how much time it expires in Unix time .
• Beispielantwort

        {
          "access_token": <access_token>,
          "expires_in": 600,
          "token_type": "Bearer"
        }
          

• Antwortelemente:
• Zugangstoken : Zugriffstoken für den Userinfo-Endpunkt.
• verfällt in Die Ablaufzeit für das Zugriffstoken.
• token_type: OAuth 2.0 token type value. The value must be Träger.

• Ressourcenanforderung

• Das Gewährung von Client-Anmeldeinformationen nicht unterstützt Ressourcenanforderung.

Token-Zuteilung aktualisieren

• A Refresh Token allows the application to issue a new Access Token or ID Token without having to re-authenticate the user. This will work as long as the Refresh Token has not been revoked.

• Token-Anfrage

• The response of token request should contain access token ans refresh token.

            {
              "access_token": "etMv23....429hiU32Hri",
              "refresh_token": "GEbRxBN...edjnXbL",
              "token_type": "Bearer"
            }
            

• Verwenden Sie ein Aktualisierungstoken:
• To exchange the Refresh Token you received for a new Access Token, make a POST request to the token endpoint, using grant_type=refresh_token wie folgt.

              jetzt lesen http://<wp_base_url>/wp-json/moserver/token
              Content-Type: application/x-www-form-urlencoded
              grant_type=refresh_token&
              client_id=<client_id>&
              client_secret=<client_secret>&
              refresh_token=<refresh_token>
            

• Hier finden Sie die Beschreibung für jeden Anforderungsparameter.
• grant_type=refresh_token: This tells the server we’re using the refresh token grant type.
• client_id= The public identifier of the application that the developer obtained during registration.
• client_secret: The client secret provided by the OAuth provider.
• Refresh_token: Das zu verwendende Aktualisierungstoken.
• The response will include a new Access Token, its type, its lifetime (in seconds), and the granted scopes. If the scope of the initial token included openid, then a new ID Token will be in the response as well.
• Die Antwort enthält die folgenden Parameter:

            {
              "access_token": "eyJ...MoQ",
              "expires_in": 86400,
              "scope": <scope>,
              "id_token": "eyJ...0NE",
              "token_type": "Bearer"
            }
            

Widerrufen Sie ein Aktualisierungstoken

• Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.
• Um ein Aktualisierungstoken zu widerrufen, können Sie eine senden jetzt lesen request to token endpoint as follows.

            jetzt lesen http://<wp_base_url>/wp-json/moserver/token
            Content-Type: application/x-www-form-urlencoded
            client_id=<client_id>&
            client_secret=<client_secret>&
            refresh_token=<refresh_token>
          

---

Demo Version

Wenn Sie nicht finden, was Sie suchen, kontaktieren Sie uns bitte unter info@miniorange.com oder rufen Sie uns an +1 978 658 9387 to find an answer to your question about Wordpress OAuth Server.