-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathAuthentication.postman_collection.json
170 lines (170 loc) · 9.77 KB
/
Authentication.postman_collection.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
{
"info": {
"_postman_id": "32458701-af2b-4c55-82cc-550a1aa2b23c",
"name": "Authentication",
"description": "**Introduction**\n\nThis collection will demonstrate how to use the most common authentication calls within SAP Concur. All non-authentication APIs will need an \"accessToken\" which will be used as a Bearer Token within Postman.\n\nThis documentation will explain how to obtain an accessToken. The complete authorization documentation [can be found here](https://developer.concur.com/api-reference/authentication/getting-started.html).\n\n**Step 1 - create the Web Application within SAP Concur (one time setup)**\n\n1. Log into SAP Concur with a User with Web Service Administration permission.\n2. Navigate to Administration->Company->Authentication Admin\n3. Choose OAuth 2.0 Application Management\n4. Click the blue button \"+ Create New App\"\n 1. Ensure the App Description is meaningful. SAP Concur knows if an app is being used, but will not know who is using it. this description should contain a purpose, a name, an organization that can be used years down the road to understand why it exists.\n 2. Allow Grants are used for authentication. For this collection, you need to have **refresh_token** and **password.**\n 3. Allow Scopes define what authority the application needs. Each API requires a minimal set of scopes to work. It is best practice to provide the minimum necessary \"just in case\" of a security breach. You can always add/remove values later. For this collection to work, you don't need any scopes (but you must have at least one for the app to save). For a detailed list of scopes and corresponding APIs, go [here](https://developer.concur.com/api-reference/authentication/app-center-learn-more.html).\n5. Upon clicking Create, you will be presented with the Client ID and Client Secret. SAVE THESE. For the postman collection, these go into the \"Current Value\" of environment variables _**clientId**_ and _**clientSecret**_\n \n\n**Step 2 - Obtain a temporary Request Token (one time setup)**\n\nA request token is only good for 24 hours and is the first step towards a more permanent Token\n\n1. Log into SAP Concur with a User with Web Service Administration permission.\n2. Navigate to Administration->Company->Authentication Admin\n3. Choose Company Request Token\n4. For App ID, put in the ClientID from step 1.5 and click the orange Submit button\n5. On the next screen, you will be presented with the Company UUID and the Company request token. SAVE THESE. For the postman collection, these go in to the \"Current Value\" of the environment variables _**companyUUID**_ and _**requestToken**_.\n \n\n**Step 3 - Convert the Request Token to a Refresh Token (one time setup)**\n\nA refresh token is good more 6 months every time it is used. You only need to convert from a request token to a refresh token **once**.\n\n1. Review your environment variables. There is one for _**datacenterURI**_. It is currently set for the US2 datacenter. You can use the value at the top of the web browser when you are logged in to determine which data center your entity is on. The other common value is eu2.api.concursolutions.com although there might be others. You can review the most recent list [here](https://developer.concur.com/platform/base-uris.html). Note that various pages on the developer portal may reference this value using several names. Despite these differences in naming conventions, they are all referencing the same thing.\n 1. geolocation\n 2. baseURI\n 3. datacenterURI\n 4. InstanceURL\n 5. datacenter\n2. Assuming you put the values in the correct environment variables, and you saved the environment, you can just run the \"(Onetime) Convert Request Token to Refresh Token\"\n 1. This HTTP Request will update the _**refreshToken**_ of the environment variables for you based on the \"refresh_token\" return value.\n\n**Step 4 - Obtain an Access Token (before every call)**\n\nAn Access Token has a life expectancy of 60 minutes before it expires. It is best practice to obtain an access token before each set of calls, or, trap the error from the API call and get a new access token before continuing.\n\n1. Run the \"Obtain Access Token\" request\n 1. This HTTP Request will update the _**accessToken**_ of the environment variables for you based on the \"access_token\" return value.\n\n**Terms**\n\nRequest Token - A token obtained from Concur that is valid for 24 hours. Since this token might havebeen issued by Concur employee's, it needs to be converted to a client spcific Refresh Token\n\nRefresh Token - A token obtained from postman that is valid for 6 months. Because it is generated by the client, only the client will be able to use it.\n\nAccess Token - A token obtained from postman using the Refresh Token that is valid for 60 minutes. Most API calls require an Access Token in order to function",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
"_exporter_id": "16379329"
},
"item": [
{
"name": "(One Time) Convert Request Token To Refresh Token",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"Initialize\", function () {\r",
"\r",
" pm.response.to.not.be.error;\r",
" pm.response.to.not.have.jsonBody(\"error\");\r",
"\r",
" var jsonData = pm.response.json();\r",
" var refreshToken = jsonData.refresh_token;\r",
" pm.expect(refreshToken.length).to.be.above(0);\r",
" \r",
" pm.environment.set(\"refreshToken\", refreshToken);\r",
"});"
],
"type": "text/javascript"
}
}
],
"request": {
"auth": {
"type": "noauth"
},
"method": "POST",
"header": [],
"body": {
"mode": "urlencoded",
"urlencoded": [
{
"key": "client_id",
"value": "{{clientId}}",
"description": "id (From APP-MGMT)",
"type": "text"
},
{
"key": "client_secret",
"value": "{{clientSecret}}",
"description": "secretAccessKey (From APP-MGMT)",
"type": "text"
},
{
"key": "password",
"value": "{{requestToken}}",
"description": "Request Token (From AUTH)",
"type": "text"
},
{
"key": "username",
"value": "{{companyUUID}}",
"description": "Company UUID (From AUTH)",
"type": "text"
},
{
"key": "grant_type",
"value": "password",
"type": "text"
},
{
"key": "credtype",
"value": "authtoken",
"type": "text"
}
]
},
"url": {
"raw": "https://{{dataCenterURI}}/oauth2/v0/token",
"protocol": "https",
"host": [
"{{dataCenterURI}}"
],
"path": [
"oauth2",
"v0",
"token"
]
},
"description": "The collection \"(OneTime) Convert Request Token to refresh token\" is used to convert the Concur issued Request Token to a client spcific refresh token.\n\n**Terms:**\n\nRequest Token - A token obtained from Concur that is valid for 24 hours. Since this token might havebeen issued by Concur employee's, it needs to be converted to a client spcific Refresh Token\n\nRefresh Token - A token obtained from postman that is valid for 6 months. Because it is generated by the client, only the client will be able to use it.\n\nAccess Token - A token obtained from postman using the Refresh Token that is valid for 60 minutes. Most API calls require an Access Token in order to function"
},
"response": []
},
{
"name": "Obtain an Access Token",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"Initialize\", function () {\r",
"\r",
" pm.response.to.not.be.error;\r",
" pm.response.to.not.have.jsonBody(\"error\");\r",
"\r",
" var jsonData = pm.response.json();\r",
" var accessToken = jsonData.access_token;\r",
" var refreshToken = jsonData.refresh_token;\r",
" pm.expect(accessToken.length).to.be.above(0);\r",
" \r",
" pm.environment.set(\"accessToken\", accessToken);\r",
" pm.environment.set(\"refreshToken\", refreshToken);\r",
"});"
],
"type": "text/javascript"
}
}
],
"request": {
"method": "POST",
"header": [
{
"key": "concur-correlationid",
"value": "unique searchable correlation id",
"disabled": true
}
],
"body": {
"mode": "urlencoded",
"urlencoded": [
{
"key": "grant_type",
"value": "refresh_token",
"type": "text"
},
{
"key": "client_secret",
"value": "{{clientSecret}}",
"type": "text"
},
{
"key": "client_id",
"value": "{{clientId}}",
"type": "text"
},
{
"key": "refresh_token",
"value": "{{refreshToken}}",
"type": "text"
}
]
},
"url": {
"raw": "https://{{dataCenterURI}}/oauth2/v0/token",
"protocol": "https",
"host": [
"{{dataCenterURI}}"
],
"path": [
"oauth2",
"v0",
"token"
]
},
"description": "**Postman Tests**\n\nThis collection will make a call to Concur to obtain an access token that can be used for further API calls. The TEST will update the _environment_ variable \"accessToken\" which should be used by other collections.\n\n**Header Key \"concur-correlationid\"**\n\nPlease note the Header Key \"**concur-correlationid**\" can be used when working with Concur to debug API calls. It should be unique so Concur can track down the call. For example: \"company name - timestamp\" or some sort of UUID.\n\nConcur has central logging so **all** API calls from **all** clients log in the same log...hence it should be unique to help Concur find the call and see what is wrong."
},
"response": []
}
]
}