Integrate 2-Legged OAuth In Your Application

The previous guides described the general aspects of the 2-legged-OAuth flows.  How do you integrate this type of authentication in the Covisint Platform?  The purpose of this guide is to show you how to do that.  We've provided convenient Postman collections of the sequence of calls you would make. 


Postman Collection:

You can find more information about the APIs here.  The necessary information about the API routes, body information, headers, and such are provided in the Postman collection.  Please cross reference the Postman collection with this guide.

This collection is a series of sequential steps necessary to implement the various flows for 3-legged OAuth.  In the Postman collection,  {{baseurl}} is the production URL for a region an instance is created.  In this case, you’ll be using

Note:  Your tokens have a time and usage expiration.  You may have to request new tokens more than once in this tutorial.


Resource Owner Grant Flow


 1        POST: Retreive Acess Token And Refresh Token

The developer will need to be able to get the resource owner's username and password via the user agent.  Afterwards, you can put those credentials as part of the request to get an access token.  The grant_type for this call is password.  If the credentials are valid, the client will get an access token and refresh token. 

The client is now able to make requests with the access token.


Client Credential Flow


 1        POST: Retreive Access Token

The client can directly submit its credentials as a request to Covisint.  In the request, the grant_type must be client_credentals.  Covisint can valdiate the client_id and client_secret.  If the credentials are valid, Covisint will issue an access token to the client.  However, there is no refresh token.

With this access token, the client can make API requests to receive protected data.