Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Obtaining Token Using OAuth Grant Mechanism
The following section describes the steps for obtaining the access token and refresh token using the authorization code grant mechanism:
- Step 1: Authenticate a User and Create a User Session
- Step 2: [Optional] Generating Client Credentials
- Step 3: Generate Authorization Code
- Step 4: Exchange Auth Code for a Token
- Step 5: Refreshing a Token
- Step 6: Deleting a Token
-
In previous releases, system users could be added to a Central account with the same domain as the configured SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. domain. Starting from this release, If you have a claimed domain name for SSO, you can no longer add system users with the same domain. For example, you cannot add a system users with @example.com, if the domain example.com is already claimed. Users of the system must be located outside of the domain.
-
If you have SSO enabled and want to access HPE Aruba Networking Central's REST Representational State Transfer. REST is a simple and stateless architecture that the web services use for providing interoperability between computer systems on the Internet. In a RESTful web service, requests made to the URI of a resource will elicit a response that may be in XML, HTML, JSON or some other defined format. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software., use the offline approach to create your token on the Central API Gateway and then use the refresh token API to update it as part of your automated workflows. To know more about the offline approach, see Obtaining Token Using Offline Token Mechanism.
-
The rate limit to generate a new access token for a client ID is restricted to 1 access token per 30 minutes. This is applicable in Step 1 and Step 3.
-
It is recommended to refresh the access token when it is invalid or at least once within 15 days so that Central can honor refreshing the token and does not revoke it.
Step 1: Authenticate a User and Create a User Session
The following API authenticates a user and returns a user session value that can be used to create future requests for a client with the specified username and password. It is assumed that you already have a client ID for your application. For more information on how to create an application and obtain tokens, see Creating Application and Token.
Domain URL allow you to log in to the API gateway server and to establish the user session. This endpoint is accessible over SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet., and HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. (non-SSL) connections are redirected to SSL port. The following table lists the region specific domain URLs Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. for accessing the API gateway.
If user authentication is successful, the request will return HTTP code 200 and the response header will include the following attributes.
Header Key example |
Values |
Description |
---|---|---|
https://app1--<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/authorize/central/api/login?client_id=<client_id> |
csrftoken=xxxx; session=xxxx |
The server returns a CSRF token and identifies the user session, which must be used for all subsequent HTTP requests. |
Example
:https://app1- -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/authorize/central/api/login?client_id=<client_id> HTTP/1.1
:FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the HPE Aruba Networking Centralinstance>.com
: app1--<:
: application/json
: application/json
:
{
"username": "xxxxx",
"password": "xxxxx"
}
:
400: Bad Request
:
{
"extra": {},
"message": "<error string>"
}
401: Auth failure
:
{
"message": "Auth failure",
"status": false
}
429: API rate limit exceeded
:
{
"message": "API rate limit exceeded. Please retry after xxxx seconds"
}
:
200: OK
:
{
"status": true
}
:
Set-Cookie: csrftoken=xxxx;session=xxxx;
The
value received in the successful response message must be used as a parameter for all subsequent POST/PUT requests. The value must also be used for all subsequent requests to maintain the user session context.Step 2: [Optional] Generating Client Credentials
The following API can be used to generate client credentials for a specific tenant using your Managed Service Provider (MSP Managed Service Provider. The Managed Service Provider (MSP) mode is a multi-tenant operational mode that Aruba Central accounts can be converted into, provided these accounts have subscribed to the Aruba Central app.) Client ID.
The rate limit to generate client credentials for a client ID is restricted to 2 seconds.
URL example |
Description |
---|---|
https://app1--<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/authorize/central/api/client_credentials?client_id=<msp_client_id> |
The variable is the client ID given from Central to that a Managed Service Provider that user registered the application. |
Example
: POST
https://app1--<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/authorize/central/api/client_credentials?client_id=<msp_client_id>
—:
{
"customer_id": "<tenant_id>"
}
Set-Cookie: csrftoken=xxxx;session=xxxx;
:
{
"client_id": "<new-client-id>",
"client_secret": <new-client-secret>"
}
429: API rate limit exceeded
:
{
"message": "API rate limit exceeded. Please retry after xxxx seconds"
}
Step 3: Generate Authorization Code
After the user is authenticated and you have a valid session for that user, use this API to get authorization code. The authorization code is valid only for 5 minutes and must be exchanged for a token within that time.
URL example |
Description |
---|---|
https://app1 -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/authorize/central/api/?client_id=<client_id>&response_type=code&scope=all HTTP/1.1 |
The endpoint is a POST call to get an authorization code. |
Query parameters for this API are as follows:
Parameter |
Values |
Description |
---|---|---|
client_id |
is a unique hexadecimal string |
The is a unique identifier that identifies the caller. Application developers obtain a client ID and a client secret when they register with the API gateway admin. |
response_type |
|
Use as the response type to get the authorization code that can be exchanged for token |
scope |
or |
Requested API permissions may be either (for both read and write access) or for read-only access.
|
Example
: POST
https://app1 -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/authorize/central/api/?client_id=<client_id>&response_type=code&scope=all HTTP/1.1
:HPE Aruba Networking Centralinstance>.com
: app1--<FQDN of the:
: application/json Cookie: “session=xxxx” X-CSRF-Token: xxxx
: application/json
:
{
"customer_id": "xxxxx"
}
:
400: Bad Request
:
{
"extra": {},
"message": "<error string>"
}
401: Auth failure
:
{
"message": "Auth failure",
"status": false
}
429: API rate limit exceeded
:
{
"message": "API rate limit exceeded. Please retry after xxxx seconds"
}
:
200: OK
:
{
" auth_code ": “xxxx”
}
:
Set-Cookie: csrftoken=xxxx;session=xxxx;
Step 4: Exchange Auth Code for a Token
Once you have an authorization code, you just use that code to request an access from the server. The exchanges should be done within 300 seconds of obtaining the auth code from the previous step, or the API will return an error.
URL example |
Description |
---|---|
https:// app1 -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/token |
The endpoint is a POST call to get an access token using the authorization code obtained from the server. |
Query parameters for this API are as follows:
Parameter |
Values |
Description |
---|---|---|
client_id |
is a unique hexadecimal string |
The is a unique identifier that identifies the caller. Application developers obtain a client ID and a client secret when they register with the API gateway admin. |
client_secret |
is a unique hexadecimal string |
The is a unique identifier provided to each developer at the time of registration. Application developers can obtain a client ID and client secret when they register with the API gateway admin. |
grant_type |
|
Use to get the authorization code that can be exchanged for the token. |
code |
received from step 1 |
The authorization code received from the authorization server. |
string |
The redirect URI must be the same as the one given at the time of registration. This is an optional parameter. |
The response to this API query is a JSON JavaScript Object Notation. JSON is an open-standard, language-independent, lightweight data-interchange format used to transmit data objects consisting of attribute–value pairs. JSON uses a "self-describing" text format that is easy for humans to read and write, and that can be used as a data format by any programming language. dictionary with following values:
Parameter |
Values |
Description |
---|---|---|
token_type |
bearer |
Identifies the token type. Central supports only the bearer token type (See https://tools.ietf.org/html/rfc6750) |
refresh_token |
string |
Refresh tokens are credentials used to renew or refresh the access_token when it expires without repeating the complete authentication flow. A refresh token is a string representing the authorization granted to the client by the resource owner. |
expires_in |
seconds |
The lifetime, in seconds, of the access token. |
access_token |
string |
Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. |
Example
: POST
https: //apigw- -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/token
:: application/json
: Enter the parameter values to call the API
- client_id
- client_secret
- grant_type
- code
:
{
"refresh_token": "xxxx",
"token_type": "bearer",
"access_token": "xxxx",
"expires_in": 7200
}
Step 5: Refreshing a Token
You can update the access token without having to repeat the authentication process by using the refresh token obtained in the previous step. Below are some of the important points to note:
- A token created on Central API Gateway contains access and refresh tokens, and is available for 15 days.
- An access token is valid for 2 hours (7200 seconds).
- On refreshing the access token consecutively within 15 minutes, you obtain the same access token. To generate a new access token you must wait for 15 minutes before you refresh the access token.
- If the token is not used or refreshed for a period of 15 days, it is revoked from Central API Gateway.
- After a token is revoked, you have to add or generate a new token through the API Gateway.
- It is recommended to refresh the access token when it is invalid or at least once within 15 days so that Central can honor refreshing the token and does not revoke it.
URL example |
Description |
---|---|
https://app1- -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/token |
The endpoint is a POST call to refresh the access token using the refresh token obtained from the server |
Query parameters for this API are as follows:
Parameter |
Value |
Description |
---|---|---|
client_id |
is a unique hexadecimal string |
The is a unique identifier that identifies the caller. Application developers obtain a client ID and a client secret when they register with the API gateway admin. |
client_secret |
is a unique hexadecimal string |
The is a unique identifier provided to each developer at the time of registration. Application developers obtain a client ID and a client secret when they register with the API gateway admin. |
grant_type |
|
Specify as the grant type to request that an authorization code be exchanged for a token |
refresh_token |
string |
A string representing the authorization granted to the client by the resource owner. |
The response to this API query is a JSON dictionary with following values:
Parameter |
Value |
Description |
---|---|---|
token_type |
bearer |
Identifies the token type. Only the bearer token type is supported. For more information, see https://tools.ietf.org/html/rfc6750. |
refresh_token |
string |
Refresh tokens are credentials used to renew or refresh the access token when it expires without going through the complete authorization flow. A refresh token is a string representing the authorization granted to the client by the resource owner. |
expires_in |
seconds |
The expiration duration of the access tokens in seconds. |
access_token |
string |
Access tokens are credentials used to access the protected resources. An access token is a string representing an authorization issued to the client. |
Example
https://apigw- -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/token?client_id=<Central-API-app-clientid>&client_secret=xxxx&grant_type=refresh_token&refresh_token=xxxx
{
"refresh_token": "xxxx",
"token_type": "bearer",
"access_token": "xxxx",
"expires_in": 7200
}
Step 6: Deleting a Token
To delete the access token, access the following URL:
URL example |
Description |
---|---|
https://app1- -<FQDN of the Aruba Centralinstance>.com/oauth2/api/tokens |
This endpoint is accessible over SSL. The HTTP (non-SSL) connections are redirected to SSL port. Customer ID is a string. |
Example
: DELETE
https://app1- -<FQDN of the HPE Aruba Networking Centralinstance>.com/oauth2/api/tokens
{
"access_token": "<access_token_to_be_deleted>"
}
: application/json
: <CSRF_token_obatained_from_login_API>
: "session=<session_obatained_from_login_API>"