Configure OAuth 2.0 authentication

To configure OAuth 2.0 authentication, follow the steps below:

  1. Select a grant type from the Grant Type drop-down menu. The grant type specifies how the application receives the access token.

  2. Depending on the selected grant type, enter the following specifications:

    • Authorization Endpoint: Enter the authorization server URI.

    • Token Endpoint: Enter the token server URI.

    • Redirect URI: Enter the redirect URI.

    • Client ID: Enter the client identifier, i.e. the application's registration information issued by the authorization server.

    • Client Secret: Enter the client secret, i.e. the password to authenticate the identity of the application.

    • Scope: Optionally, indicate which scope of permissions the application requests. Enter one or more space-separated strings, e.g. openid.

    • Username: Enter your user name.

    • Password: Enter your password.

  3. Click Request Token to request the access token.

    • If you selected grant type Authorization Code, a browser window opens in which you have to authorize access to your account.

    • For all other grant types, your access token is issued immediately.

Configure OAuth 2.0 authentication

If you use Microsoft Azure AD Connect as your authentication service, API Scan stores returned cookies in the Cookies window. This allows the system to use the cookies for authorization in the next call.

Request a new access token if token has expired

In general, access tokens expire after a certain period of time and become invalid. This means that a new access token must be requested, which might affect your API TestCases. The API Engine automatically requests a new valid access token to continue your API TestCases in the following cases:

  • If an access token expires and there is a refresh token, the API Engine uses the refresh token to request a new access token.

  • If the access token expires and there is no refresh token, the API Engine requests a new access token if you use the grant type Password or Client Credentials.

In case there is no refresh token and you use the grant type Authorization Code or Implicit, you have to request a new token manually (see step 3) to continue your TestCase.