Aidbox
Search…
Aidbox documentation
Overview
Features
Licensing and Support
Aidbox UI
Versioning
Release Notes
FAQ
Getting Started
Run Aidbox in Aidbox Sandbox
Run Aidbox locally with Docker
Run Aidbox as a SaaS
Aidbox configuration
Configure Aidbox and Multibox
Aidbox project
API constructor (beta)
Setup SMTP provider
Zen Configuration
API
FHIR API
REST API
Bulk API
Batch Upsert
Batch/Transaction
Cache
ETAG support
Reactive API
Sequence API
Encryption API
Compartments API
GraphQL API
RPC API
Profiling and validation
Profiling and validation overview
Profiling with zen-lang
Asynchronous resource validation
Profiling with AidboxProfile
Terminology
Aidbox terminology module overview
Import external (not-present) terminologies
Concept
CodeSystem
ValueSet
Handling hierarchies using ancestors
$translate on ConceptMap
Terminology Tutorials
FHIR Implementation Guides
🎓
HL7 FHIR Da Vinci PDex Plan Net IG
§170.315(g)(10) Standardized API for patient and population services
Tutorials
App development guides
Testing with Stresty
Working with Aidbox from .NET
Administration
Receive logs from your app
$matcho
$to-format
Storage
Overview
Database schema
Archiving
AWS S3
GCP Cloud Storage
Azure Blob Storage
Security & Access Control
Overview
Authentication Flows
Basic Auth
Client Credentials Grant
Resource Owner Grant
Authorization Code Grant
Implicit Grant
Validating Foreign Access Tokens
External Oauth 2.0 Providers
Two Factor Authentication
SMART on FHIR
Configuration options
Discovery API
Access Control
Multitenancy
Core Modules
Entities & Attributes
$json-schema
Monitoring
Logging & Audit
Modules
HL7 v2 Integration
FHIR Resources
Custom Resources
Aidbox Search
First-Class Extensions
Multibox
Multibox box manager API
Multibox monitoring
Plan API
Plan API Overview
Patient Access API
Integrations
Analytics
Audit
Authentication
Tools
Mappings
Aidbox SDK
Contact us
Reference
Configuration
Powered By GitBook
Resource Owner Grant

Description

The Password grant type is used by first-party clients to exchange a user's credentials for an access token. Since this involves the client asking the user for their password, it should not be used by third party clients. In this flow, the user's username and password are exchanged directly for an access token. The application acts on behalf of the user. Refer to OAuth 2.0 spec for more details.
Basic scheme

Configure Client

The first step is to configure Client for Resource Owner Grant with secret and password grant type:
client
PUT /Client/myapp
Accept: text/yaml
Content-Type: text/yaml
​
secret: verysecret
grant_types:
- password
Client will act on behalf of the user, which means Access Policies should be configured for User, not for Client.
You can configure Client for JWT tokens, set token expiration and enable refresh token:
attribute
options
desc
auth.password.token_format
jwt
use access token in jwt format
auth.password.access_token_expiration
int (seconds)
token expiration time from issued at
auth.password.refresh_token
true/false
enable refresh_token
auth.password.secret_required
true/false
require client secret for token

Get Access Token

Next step is to collect username & password and exchange username, password, client id and secret (if required) for Access Token.
Using Basic & form-url-encoded:
using-basic
POST /auth/token
Authorization: Basic base64(client.id, client.secret)
Content-Type: application/x-www-form-urlencoded
​
grant_type=password&username=user&password=password
Or by JSON request:
json-request
POST /auth/token
Content-Type: application/json
​
{ "grant_type": "password",
"client_id": "myapp",
"client_secret": "verysecret",
"username": "user",
"password": "password"
}
If provided credentials are correct, you will get a response with the access token, user information and refresh token (if enabled):
token-response
status: 200
​
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiJ1c2VyIiwiaWF0IjoxNTU0NDczOTk3LCJqdGkiOiI0ZWUwZDY2MS0wZjEyLTRlZmItOTBiOS1jY2RmMzhlMDhkM2QiLCJhdWQiOiJodHRwOi8vcmVzb3VyY2Uuc2VydmVyLmNvbSIsImV4cCI6MTU1NDQ3NzU5N30.lCdwkqzFWOe4IcXPC1dIB8v7aoZdJ0fBoIKlzCRFBgv4YndSJxGoJOvIPq2rGMQl7KG8uxGU0jkUVlKxOtD8YA",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiJwYXNzd29yZC1jbGllbnQiLCJqdGkiOiI0ZWUwZDY2MS0wZjEyLTRlZmItOTBiOS1jY2RmMzhlMDhkM2QiLCJ0eXAiOiJyZWZyZXNoIn0.XWHYpw0DysrqQqMNhqTPSdNamBM4ZDUAgh_VupSa7rkzdJ3uZXqesoAo_5y1naJZ31S92-DjPKtPEAyD_8PloA"
"userinfo": {
"email": "[email protected]",
"id": "user",
"resourceType": "User",
},
}

Use Access Token

You can use the access token in Authorization header for Aidbox API calls:
authorized-request
GET /Patient
Authorization: Bearer ZjQyNGFhY2EtNTY2MS00NjVjLWEzYmEtMjIwYjFkNDI5Yjhi
curl -H 'Authorization: Bearer ZjQyNGFhY2EtNTY2MS00NjVjLWEzYmEtMjIwYjFkNDI5Yjhi' /Patient

Revoke Access Token (Close Session)

Aidbox creates a Session resource for each Access Token, which can be closed with a special endpoint DELETE /Session with the token in the Authorization header:
close-session
DELETE /Session
Authorization: Bearer ZjQyNGFhY2EtNTY2MS00NjVjLWEzYmEtMjIwYjFkNDI5Yjhi
Session is just a Resource and you can inspect and manipulate sessions by a standard Search & CRUD API. For example, to get all sessions: GET /Session

Auth Sandbox Demo

​
​
Previous
Client Credentials Grant
Next
Authorization Code Grant
Last modified 14d ago
Copy link
Edit on GitHub
Outline
Configure Client
Get Access Token
Use Access Token
Revoke Access Token (Close Session)
Auth Sandbox Demo