# How-to Guide - OAuth 2.0 Resource owner password credentials authentication

The OAuth 2.0 resource owner password credentials flow is traditionally a way for server to server authentication. This allows you to build a connector that can authenticate as the Workato server which communicates to your target API server. This flow allows the exchanging he username and password of a user for an access token and optionally, a refresh token.

# Sample Connector - Microsoft Azure AD

{
  title: 'My Azure connector',

  connection: {
    fields: [
      {
        name: 'tenant_id',
        optional: false,
      }
      {
        name: 'client_id',
        optional: false,
      },
      {
        name: 'client_secret',
        control_type: 'password',
        optional: false,
      },
      {
        name: 'username',
        optional: false,
      },
      {
        name: 'password',
        control_type: 'password',
        optional: false,
      }
    ],

    authorization: {
      type: 'custom_auth', #Set to custom_auth

      acquire: lambda do |connection|
        token_url = "https://login.microsoftonline.com/#{connection['tenant_id']}/oauth2/v2.0/token"
        response = post(token_url). 
                    payload(client_id: "#{connection['client_id']}",
                      client_secret: "#{connection['client_secret']}",
                      username: "#{connection['username']}",
                      password: "#{connection['password']}",
                      grant_type: "password").
                    request_format_www_form_urlencoded
          

        {
          access_token: response["access_token"],
        }
      end,

      refresh_on: 401,

      apply: lambda do |connection|
        headers("Authorization": "Bearer #{connection['access_token']}")
      end
    }

  },

  test: lambda do |connection|
    get( #Some accessible endpoint )
  end,

  #More connector code here
}

# Step 1 - Defining Connection fields

This component tells Workato what fields to show to a user trying to establish a connection. In the case of resource owner password credentials, you would need the Client ID and Client Secret that the user has generated in Azure. You will also need to provide the Username and Password of the user account that you will be using to authorize the connection.

Information needed Description
Client ID This is the public ID of the OAuth app that should be tied to Workato. This might mean signing Workato up as a verified application in the application
Client secret This is the matching private key that the API will verify along with the Client ID. This might mean signing Workato up as a verified application in the application. Never share your client secret with others
Username This is the username of the user account that is giving permission to authenticate the client.
Password This is the password of the user account that is giving permission to authenticate the client.

This is done in the fields key, which accepts an array of hashes. Each hash in this array corresponds to a separate input field.

    fields: [
      {
        name: 'tenant_id',
        optional: false,
      }
      {
        name: 'client_id',
        optional: false,
      },
      {
        name: 'client_secret',
        control_type: 'password',
        optional: false,
      },
      {
        name: 'username',
        optional: false,
      },
      {
        name: 'password',
        control_type: 'password',
        optional: false,
      }
    ],

Configured Azure connection fields

TIP

When defining fields, you need to at least provide the name key. Additional attributes like optional, hint and control_type allow you to customize other aspects of these fields. For sensitive information like Client Secrets, remember to use the control_type as password.

To know more about how to define input fields in Workato, click here.

# Step 2 - Defining the authorization type

This component tells Workato what type of authentication type this connection should use. This is handled through your type key in the authorization object. For Client Credentials authentication, you should use custom_auth.

      type: 'custom_auth'

# Step 3 - Acquiring the access token

In the acquire key, we pass in the client_id, client_secret, username, and password provided by users of connector as payload. Note that the payload of the request must be sent with request_format_www_form_urlencoded. We also identify password as the grant type and we pass this in as payload in the POST request. This request is then sent to Microsoft's Token URL.

    acquire: lambda do |connection|
      response = post("https://login.microsoftonline.com/#{connection['tenant_id']}/oauth2/v2.0/token"). # Token URL
                    payload(client_id: "#{connection['client_id']}",
                      client_secret: "#{connection['client_secret']}",
                      username: "#{connection['username']}",
                      password: "#{connection['password']}",
                      grant_type: "password").
                    request_format_www_form_urlencoded

      {
        access_token: response["access_token"],
      }
    end,

Upon receiving a the request, the API returns a JSON response.

{
  "access_token": "my-authentication-token",
  "token_type": "bearer",
  "expires_in": "seconds-until-expiration",
  "error": "optional-error-message"
}

The expected output of the acquire lambda function is a hash which is merged into the original connection hash. For example:

# Original Connection hash
{
  client_id: "abcd1234",
  client_secret: "secretClientSecret"
}

# After acquire block is executed
{
  client_id: "abcd1234",
  client_secret: "secretClientSecret",
  access_token: "my-authentication-token"
}

# Step 4 - Applying the access token to subsequent HTTP requests

Next, you need to tell Workato how to make use of the access token it has retrieved from Microsoft. This is done in the apply key where you can reference the access token now stored in the connection argument. Any instructions you introduce in the apply block are subsequently applied to all HTTP requests this connector sends after connection is established.

    apply: lambda do |connection|
      headers("Authorization": "Bearer #{connection['access_token']}")
    end

In this example, we have defined the access token (connection['access_token']) to be added to the headers of any request. For every HTTP request sent, the headers will contain Authorization: Bearer XXX where XXX is the access token stored in the connection hash.

# Step 5 - Setting the API's base URI

This component tells Workato what the base URL of the API is. This key is optional but allows you to provide only relative paths in the rest of your connector when defining HTTP requests. Learn how to configure your base_uri here.

TIP

This lambda function also has access to the connection argument. This is especially useful if the base URI of the API might change based on the user's instance. The connection argument can be accessed in the following format:

    base_uri: lambda do |connection|
      #some code here
    end

# Step 6 - Testing the connection

Now that we have defined the fields we need to collect from an end user and what to do with the inputs from those fields, we now need a way to test this connection. This is handled in the test key.

    test: lambda do
      get(# Some accessible code)
    end,

In this key, you need to provide an endpoint that allows us to send a sample request using the new credentials we just received. If we receive a 200 OK HTTP response, we show the connection as Successful.

# Connections SDK reference

To be more familiar with the available keys within the connection key and their parameters, check out our SDK reference.


Last updated: 4/5/2023, 11:28:53 AM