New Version Available
There's a new version of Comply One API! We strongly-recommend to start migrating your API Clients as this version will not be supported in the near future. Please review the new version and read the Migration Guides
New Version Migration Guides
Resource Owner Password Credentials
When requesting an access token using the Resource Owner Password Credentials OAuth 2.0 authentication flow, you will need to make an HTTP POST request to Stems Accounts' token endpoint. This authentication flow lacks features such as Single-Sign-On and Single Logout. It is also one of the most vulnerable authentication flows because it requires the API Client to know a user's password. For this reason, we discourage the usage this authentication flow.
The request to the token endpoint MUST meet the following requirements:
| Requirement | Value |
|---|---|
| Schema | HTTPS |
| URL | https://accounts.stems.com.au/auth/connect/token |
| HTTP Method | POST |
| Accept (request header) | application/json |
| Content-Type | application/x-www-form-urlencoded |
The request MUST also include the following url-encoded form data:
| Key/Field | Description |
|---|---|
| grant_type | Required. The value must be set to password |
| username | Required. Your user's email address |
| password | Required. You user's password |
| client_id | Required. The ID of your API Client. Refer to the Authentication Section to create an API Client |
| client_secret | Required. The pre-configured secret of your API Client |
| scope | Required. One or more scopes (separated by a space) that have been already pre-configured for the API Client. Note, if you need to request a Refresh Token you should include the offline_access scope |
A typical request to the token endpoind using the Resource Owner Password Credentials flow would look like the example below:
POST /auth/connect/token HTTP/1.1
Host: accounts.stems.com.au
Accept: application/json
Content-Type: application/x-www-form-urlencoded
grant_type=password
&username=john.smith%40contoso.com
&client_id=your_client_id
&client_secret=your_client_secret
&scope=email+resources_stems_api
&password=P4ssw0rdA successful response to the above request will look like the following JSON output:
{
"access_token": "ad8e51c5a981bb821cfd77cc52154ad0",
"expires_in": 1800,
"token_type": "Bearer",
"refresh_token": "a497b7a990bbff512fe90efd395d09fa"
}The above response returns an Access Token that you will need to authenticate all requests to Comply One API. It also returns a expires_in field which represents the total amount of seconds till expiration of the access token.
If your API Client was setup with the offline_access scope and you included that scope in the token request, the above response will also return a refresh_token property in the JSON response. Because the access token lifetime is very short (usually 30 minutes), you can use the Refresh Token to refresh (renew) the access token without needing to use your user name and password again. The next section, Refreshing a token, explains how you can refresh an Access Token.
