Error when try Firing REST API for issueToken about orangehrm HOT 3 OPEN

Hi @Winniepoom

Sorry for the late response. The guide that you are following works for OrangeHRM 4.x and does not apply to 5.x versions.

We are in the process of updating our documentation for version 5.x. We are now using the Authorization Code Flow with PCKE extension.

In this flow, the main resource that you will need to make API calls is an access_token which can be obtained by following the steps below:

1. Register a client with the OrangeHRM Open Source Application via Admin > Configuration > Register OAuth Client

• You can click the add button and provide the details of your third party application.
  
• You will need to provide the name and redirect URL of your application.
• After clicking save you will receive a Client ID which you will need for the next step
  

2. Generate a code verifier and code challenge

• In order to continue through the flow, you will need to generate a code verifier. The requirements are: a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -,.,_,~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
• Once you have generated that, the code challenge is the Base64-URL encoded string of the SHA256 hash of the code verifier. I.e. base64urlencode(sha256(code_verifier))

3. Make an authorization request by visiting oauth2/authorize with the correct query parameters

• The full URL with all the correct parameters is:
  • /oauth2/authorize?response_type=code&state=your_state&code_challenge_method=S256&code_challenge=your_challenge&client_id=your_client_id&redirect_uri=your_redirect_uri
• The six query parameters needed are response_type, state, code_challenge_method, code_challenge, client_id and redirect_uri. The values needed are listed below:
  • response_type=code (default)
  • code_challenge_method=S256 (recommended)
  • client_id=ID obtained in step 1
  • code_challenge=Code challenge generated in step 2 (not the code verifier!)
  • redirect_uri=Redirect URI provided in step 1
  • state=Randomly generated string which can be used for verification.
• You should see the following screen:
  
• Click Allow Access and you will be redirected to your application (client) with an authorization code and the state (which should be the same value provided)
  • Example code: def50200a0574b76b34a1f5c0ebf22d13e35e30a0ed8ce55ff067f2f2c2acf26b1c3e1faa1e68db669be7904d4dfbcc0ef18d955e60168f99770d16263652a488c4c6ddd4112c506d90bad67654da922da03a020f5e2b00c5658b6398c0a1df41e0f9ab5cc2d12870b50e97ac3e8d3b2b83245f7df5911b7769407f241697dcb2de5a1bf6257cb81f77781f2892eb63d3d17cbb6eaab9913cf9de4f5749564822552ce9afb23e37439e888e2853f5851b1ab54e1dfc9ce4342f8e3698863f019d19ec9c5e8ce849e1fb8d9d30c7c17c648610420b35fa41145e72efbb30f6b56c157091b516eec5bbd84b518a1ccdcbbb07ccfbfc795af069a16131e85154d62177391d67cf6a7868bb5cbdd9ca60ba42ac544026905b50d221ff04dd649dd24fe1912bcc8f5ff6a2f2a84de1204a3d013d07e614f0d95cb670dd6d5d83502611e3f2ff11d51f47c8b3cc70ed9f9693c382726052a0a93df1e4e13c831c06c7d0dc9d473627b8a2641bb906e230a2e5a9eb972068a0b811bac636e7ec3b37cf01eb192378b9245f35ae350

4. Use that authorization code to obtain an access_token by making a request to /oauth2/token

• Make a POST request to /oauth2/token with an x-www-form-urlencoded body
• The body should contain client_id, grant_type, code, redirect_uri, and code_verifier. The values needed are given below
  • grant_type: authorization_code
  • code: Authorization code obtained in step 3
  • client_id: ID obtained in step 1
  • redirect_uri: Redirect URI provided in step 1
  • code_verifier: Code verifier generated in step 2 (not the code challenge!)
• Below is an example of such a request using Postman
  
• Upon making a successful request you should receive an access_token which you can use to make external API calls. You will also obtain a refresh_token which is further described below.
  
• Done! You can now make external API calls by providing the access token as a Bearer Token in your authorization headers

from orangehrm.

Refreshing the access token:

• The access_token will expire after 30 minutes
• You can make a request to /oauth2/token in order to refresh it
• The body should contain client_id, grant_type, and refresh_token. The values needed are given below
  • grant_type: refresh_token
  • client_id: ID obtained in step 1
  • refresh_token: Token obtained in step 4
• Below is an example using Postman
  
• Upon making a successful request, you will receive a similar response as step 5.
  
• Now you can continue making API requests using the new access_token

from orangehrm.

That is the full OAuth2 with PCKE flow that we have implemented in version 5.x. I hope the steps were clear. I have also included some additional material you can follow in order to understand the flow better:

• IETF standard for this flow
• Additional resources
• Playground to understand the flow

from orangehrm.