Resource Owner Password Credentials Grant
This authorization requires a username and password which will be a company system user obtained from Min Bedrift that provides data access authorization. This grant type is used where the API client (company) has an established trust relationship with the API owner (Telenor Norway). The username and password, used together with the client ID and client secret, can be used to obtain an access token.
The token can be reused for all subsequent requests to the API, until it expires. The expiry time is set in the response and can change.
The flow for this grant type is very simple and does not include any browsers in the flow.
1. Your application posts a username and password to the /oauth/token endpoint, using the clientId and client secret as basic authentication,
2. The OAuth service replies with the access token and the expiry time.
3. Your application can now use the token until it expires. It must be set in the Authorization header as Bearer {access_token}
The table below the different credentials. Which to use and which not to use. Take some time to get familiar with the different parameters.
Name | What it's used for | Where to find it | Example values |
---|---|---|---|
client_id | Client_id_parameter is an OAuth parameter that identifies your client. Think of it as an application id. | Under your apps in your dashboard | xhdrs6uleK1xyZBO vX37PJ5wALcv1O9 |
client_secret | This is the secret for the client_id, which is an OAuth parameter that identifies your client. Think of it as an application password. | Under your apps in your dashboard | Glz2FV5XYOvAhFCE |
username | In this OAuth flow, to get an access token you have to provide a username and password. This can be a bit confusing, but this username is a machine user that accesses company data. It is not related to the user you log into the developer portal or Min Bedrift. It is a non-personal user that your company's Administrator has to provide you. | Can be found in Min Bedrift under APIs if you have admin rights | api7813371375 |
password | The password for the username to provide data access authorization | The password can be generated and sent to a mobile from Min Bedrift if you have admin rights. If not you must ask your administrator to send it to your number. | hquTvfc00l 8F33adAmCd |
Other | |||
Connectid username and password | These credentials are not involved in using the APIs at all. These are used by a developer to get access to the developer portal. This is a personal user that you can use for other Telenor services, like Min Sky. | If you need to register a new user, or if you've forgotten your password, you log in as a developer. If you need access to a specific company's apps, the administrator of that company must send you an invite to your connectid | username: xxx@example.com (or mobile number) Password: yourOwnChoice123 |
Min Bedrift Username and password | This user is not involved in the actual usage of the APIs. This is your single sign on user to the Min Bedrift Portal if your company has a Min Bedrift Agreement. You may have different roles within the company. If you are an API administrator, this is the user you should log in with to add developers. | If you need to register a new user, or if you've forgotten your password, you log in as a developer. If you need access to a specific company, a super administrator of that company must add you. | username: myemailusername Password: AbcDefG123 |
In short:
NB: The refresh_token and token_type are optional return values and can be ignored for this API.
API Reference
oauth
Implementation notes
Invalidate the access token.
The client makes a request to invalidate the access token.This is a optional operation.
Example invocation: "curl -v -X GET https://api.telenor.no/oauth/v2/logout --header "Authorization: Bearer OD....==" "
Example response (200 OK): OK!
Parameters
-
Authorization*
-
Authorization, Example: "Authorization: Bearer Xjh6f....MkjJH65
-
header
-
string
Error responses
- 401
- Error code 2 - Invalid access token
Error code 6 - Missing or bad Authorization header
- 500
- Error code 2 - Internal Server Error
Implementation notes
This token must be used to authorize all further API requests to the server, and is valid for a period of time.
- Resource Owner Password Credentials Grant
This is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type, and only allow it when other flows are not viable. The grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token. The resources owners credentials will be supplied from Telenor for the appropriate clients.
Example invocation: "curl -v -X POST https://api.telenor.no/oauth/v2/token -u client_id:client_secret --data "grant_type=password" --data "username=API1000XYZ" --data "password=secret" "
Example response (200 OK): "{"access_token" : "4P....uY", "expires_in" : 3599}", time in seconds.
NOTE:The authorization header is created from your client_id (Consumer Key) as your basic authentication username,and the client_secret (Consumer secret) as the basic authentication password. Basic authentication requires you to Base64 encode the combination of username:password, note: the colon separating the username and password and is in the form "Authorization: Basic OZXhhbXBsZWNsaWVudGlkOmV4YW1wbGVzZWNyZXQ="When using curl use can use '-u username:password' in order for curl to do the Base64 and add this header for you.
Parameters
-
Authorization*
-
Authorization, Basic authorization using the Consumer Key (client_id) as 'username' and Consumer secret (client_secret) as password. Base64 encode username:password. "Authorization: Basic QW....=="
Example: Authorization: Basic Q2xpZW50SWQ6U2VjcmV0 -
header
-
string
-
grant_type*
-
Grant type of token request.
Possible values: authorization_code, password, client_credentials -
formData
-
string
-
scope
-
The scope of the access request.
-
formData
-
string
-
username*
-
Resource owners username.
-
formData
-
string
-
password*
-
Resource owners password.
-
formData
-
string
Response class (Status 200)
- access_tokenstring
- The token representing an authorization issued to the client and the logged in user
- expires_ininteger
- The lifetime in SECONDS of the AccessToken. E.g. a value of 3600 indicated that the access_token will expire in 1 hours from the time it was issued.
- token_typestring
- If returned, it will explicitly state the type of token issued. It will be ‘Bearer’ by default.
- refresh_tokenstring
- If returned, the refresh token can be used to obtain new access tokens using the authorization grant ‘refresh_token’. The refresh token itself will also be refreshed.
{ "access_token": "Iu25QXBwbGbljYXRpzQHRIuYlbGVub329XXQ3tOnMY3BRo0QyVFJUiN", "expires_in": "3600", "token_type": "Bearer", "refresh_token": "9XXQ3tOnMY3BRo0QyVFJUiNIu25QXBwbGbRIuYlbGVub32ljYXRpzQH" }
Error responses
- 400
- Error code 2 - Missing or invalid grant_type
- 401
- Error code 1 - Invalid client id
Error code 20 - Invalid resource owner credentials
Error code 21 - Unsufficient permissions to use requested grant_type
Error code 22 - Basic Authentication failed, bad username or password.
Error code 23 - User credentials does not match granted client credentials
Error code 4 - Invalid authorization code
Error code 5 - Not authorized to create access token
Error code 6 - Missing or bad Authorization header
Error code 7 - Invalid refresh_token
Error code 9 - Invalid Client data
- 403
- Error code 12 - Invalid RedirectURI
Error code 15 - Illegal Response Type
Error code 8 - Illegal or non authorized scope
- 500
- Error code 16 - Invalid App Attributes.Please contact Telenor Admin
Error code 2 - Internal Server Error