OAuth 2 Authorization

OAuth 2 Authorization

In order to use OAuth 2 authorization for a REST request you need to to

  • Open the Authorization tab
  • Add authorization
  • Create an OAuth 2 profile
  • Get an access token
  • Optional: set advanced options for the authorization.

Open Authorization

Authorization

The Authorization tab allows you to define authorization options for the request.

Add Authorization

For OAuth2 Authorization, profiles can be created and applied to multiple requests.

Note: Profiles are currently only available for OAuth2 authorization.

Authorization Types

HTTP, SOAP, REST requests

Basic Authorization

NTLM Authorization

SPNEGO-Kerberos Authorization

REST requests

OAuth2 Authorization

The authorization type is added through the Authorization menu.

Adding authorization methods

Add Authorization Add Authorization
To define an authorization method, select Add New Authorization If there are previously defined authorization methods defined, they can be selected in the menu.
To delete a method, click Delete Current

Add Authorization

Add Authorization

The add authorization dialog is where you create a new authorization method for the request.

Add Authorization

Note: Only methods that have not yet been created for the method are available in the menu. As they are created, they are removed from this menu and are made available in the Authorization Tab.

Authorization Types

The following authorization types are available.

Basic Authorization

NTLM Authorization

SPNEGO-Kerberos Authorization

OAuth2 Authorization

Add Profile

Add Authorization Profile

When adding OAuth 2 as a authorization method to your request, it is added as a profile, that can be reused in other requests.

Note: Profiles are currently only available for OAuth 2 authorization.

Add Authorization

Adding the profile creates a placeholder for the settings that will apply to all requests using that profile.

After creating the profile, you can add the token and do other settings as needed on the Authorization Tab

Add Authorization

Type

The type is the authentication method to use for the profile (currently only OAuth 2).

Profile name

The profile name can be anything you like, but it is generally a good idea to give it a meaningful name.

Add OAuth 2 Authorization

OAuth 2 authentication for REST requests

After adding an OAuth 2 profile to the request, you enter an access token, get a new token from the server, add settings for the profile, or define it is to handle access and refresh tokens.

Basic Authentication

Access Token

The access token box allows you to directly enter an access token as a text string.

Get Token

To request a new access token, or to define settings, click Get Token. This will take you to the Access Token Retrieval window.

Advanced

The advanced button takes you to Advanced Options for the access and refresh token.

Get OAuth 2 Token

Access Token Retrieval The access Token Retrieval window lets you enter settings for access token retrieval. The settings are similar for Authorization Code Grant and Implicit Grant, but there are some differences relating to how the grants work.

Access Token Retrieval - Authorization Code Grant

OAuth 2 access token retrieval is almost the same for

Authorization Code Grant

Option Description
OAuth 2 Flow Sets the OAuth 2 method to use.
Client Identification The identification string for the client.
Client Secret The secret string for the client.
Authorization URI URI to use for the authorization server.
Access Token URI URI to use for the access token.
Redirect URI The redirect URI to use for returning the access token.
Scope The full scope string for restriction of access areas.
Get Access Token Click this button to start the access token process.
Automation Opens the Automated Token Profile Editor.

Access Token Retrieval - Implicit Grant

OAuth 2 access token retrieval is almost the same for

Implicit Grant

Option Description
OAuth 2 Flow Sets the OAuth 2 method to use.
Client Identification The identification string for the client.
Authorization URI URI to use for the authorization server.
Access Token URI URI to use for the access token.
Redirect URI The redirect URI to use for returning the access token.
Scope The full scope string for restriction of access areas.
Get Access Token Click this button to start the access token process.
Automation Opens the Automated Token Profile Editor.

Add advanced options

OAuth 2 Advanced Options

The advanced options settings for OAuth2 are used to define how the access token should be handled.

OAUth 2 Advanced Options

There are two available settings: how to sending, and how to handle refresh of the access token.

Send Access Token as:

This setting is used when you have

Header: Access token is sent as request header. Example:

Authorization: Bearer rRR0GnTudjuUUGaSt0n

Query: The access token is sent as a query parameter.

Example:

https://www.example.com/a/v1/y/{userId}?access_token=1/rRR0GnTudjuUUGaSt0n

Refresh Access Token:

The default setting is that SoapUI handles refresh tokens automatically and transparently. If you for some reason need tokens to time out, you can set refresh to manual.

Automatic: The refresh token is used automatically.

Manual: The token has to be manually applied.

When refresh access token is set to manual. A refresh button is made available next to the token.

Manual Refresh

To refresh the token, click the refresh button.

Access Token Expiration Time

The request can be set to use the access token expiration time provided from the server.

Expiration Time

Server: The expiration time provided by the authorization server is used.

Custom: The token expires after the set number of seconds, minutes or hours.

Note: By convention, the value "0" indicates that the token will never expire. There is no setting for immediate expiration of the token.