Skip to content

04 Tokens

Jump to bottom
Milos Sontak edited this page Mar 1, 2024 · 1 revision

Tokens

Authorization code

Token validity

  • Code has validity only 2 minutes
  • Tokens should always be requested by the same user (KB client) who performed the OAuth2 client registration. If the user is different, tokens will not be issued.

Requests Authorization code

GET
https://login.kb.cz/autfe/ssologin?response_type=code&client_id=Nejlepsiprodukt-4176&redirect_uri=https://client.example.org/callback&scope=adaa%20card_data

Response Authorization code

302 Found
https://client.example.org/callback?code=-_N2RrJRCMgd__JGqUlB_KaFNpo&iss=https%3A%2F%2Fcaas.kb.cz%2Fopenam%2Foauth2&client_id=Nejlepsiprodukt-4176

Refresh token

Token validity refresh_token validity 12 months

Request Refresh token

curl --location --request POST 'https://api-gateway.kb.cz/oauth2/v2/access_token' \
--header 'x-correlation-id: 9f1670dd-db08-4cbb-aa31-ac0454b42657' \
--header 'apiKey: 3a7f779a-8cc1-364f-be2b-9ea161f63817' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'redirect_uri=https://app.kifli.cz/callback' \
--data-urlencode 'code=6W6hsrmHBqN8J6nEW3iPfbB97X8' \
--data-urlencode 'client_id=Kifli-1635' \
--data-urlencode 'client_secret=Xe-_BCRf9mi7uyEzIQiLGA' \
--data-urlencode 'grant_type=authorization_code'

Response Refresh token

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJJTDdyR3BrMXNzNE9id0VIYmIrQ1RBbEozbzQ9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJBUElJRD0wZTYyNjQxMmJhYzg0Mzc4ODk0ZDFmNjM3MzQ4N2U4NiIsImN0cyI6Ik9BVVRIMl9TVEFURUxFU1NfR1JBTlQiLCJhdXRoX2xldmVsIjo0LCJhdWRpdFRyYWNraW5nSWQiOiIxY2YwY2I4Ni0xNDZmLTRhOTMtOWEzYS00YTQ3MmVkZDJiZmEtMTI3NTA1IiwiaXNzIjoiaHR0cHM6Ly91YXQyLWNhYXMua2IuY3ovb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6IjFFd3VhZ1F0bDlvcV95eUg3OG1LWkYxdmxMOCIsImF1ZCI6IkFBQUF1dHB1dDMzQUItNDcwMSIsIm5iZiI6MTYzMTg2Nzg2NSwiZ3JhbnRfdHlwZSI6ImF1dGhvcml6YXRpb25fY29kZSIsInNjb3BlIjpbImNhcmRfZGF0YSIsImFkYWEiXSwiYXV0aF90aW1lIjoxNjMxODY3ODExLCJyZWFsbSI6Ii8iLCJleHAiOjE2Mzk2NDM4NjUsImlhdCI6MTYzMTg2Nzg2NSwiZXhwaXJlc19pbiI6Nzc3NjAwMCwianRpIjoiaklwQzJaQnZHOFdCRENMajd1elRYU2Y1UnRnIiwiY2Fhc09wZXJhdGlvbklkIjoiNDA1Y2Q0YWZiNzdmNDM1MTliNjljMmI1MTBhMmUxNWEifQ.McYFKolLFP4P2mybvgdtp3j5nv0dkZD_dRNKlBGDSSuYSifCvuYmt-F6ry1tkG3KsXNOqn1Jnb5hS6qwQpMMZr0lZOgUrbbPXUE-H2LB0-9C0Cv10kFK93faZmi__a3GRcC3KYYcYVykNmcGWTz7VBpt_yVme2Z7Piy5X718WNqPn2wd9dLhyW644Jpv0UA61GH361m80iJIOXjJPa0hY-xyOQ9-9ir1i8LObCI--YiQtGUOIa2t2K8qD8K4LBQCxy3Y-QW7ByDFBCP1n2a1wM_Vs3dZ6u9FsW0t-amOQTXiGBk_86zlR0Tgmn8zoYzv5KsL2qlzLVzWrx89eIySBg",
  "refresh_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJJTDdyR3BrMXNzNE9id0VIYmIrQ1RBbEozbzQ9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJBUElJRD0wZTYyNjQxMmJhYzg0Mzc4ODk0ZDFmNjM3MzQ4N2U4NiIsImN0cyI6Ik9BVVRIMl9TVEFURUxFU1NfR1JBTlQiLCJhdXRoX2xldmVsIjo0LCJhdWRpdFRyYWNraW5nSWQiOiIxY2YwY2I4Ni0xNDZmLTRhOTMtOWEzYS00YTQ3MmVkZDJiZmEtMTI3NTA0IiwiaXNzIjoiaHR0cHM6Ly91YXQyLWNhYXMua2IuY3ovb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6InJlZnJlc2hfdG9rZW4iLCJhdXRoTW9kdWxlcyI6IkNhYXNQYXNzd29yZHxPcGVyYXRpb25TdGF0ZUNoZWNrZXJ8UGlja2VyfE90cHxSZXF1ZXN0QmluZGVyfENhYXNBZGFwdGl2ZSIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6IjFFd3VhZ1F0bDlvcV95eUg3OG1LWkYxdmxMOCIsImF1ZCI6IkFBQUF1dHB1dDMzQUItNDcwMSIsImFjciI6IjAiLCJuYmYiOjE2MzE4Njc4NjUsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJzY29wZSI6WyJjYXJkX2RhdGEiLCJhZGFhIl0sImF1dGhfdGltZSI6MTYzMTg2NzgxMSwicmVhbG0iOiIvIiwiZXhwIjoxNjYzNDI0NzkxLCJpYXQiOjE2MzE4Njc4NjUsImV4cGlyZXNfaW4iOjMxNTU2OTI2LCJqdGkiOiI2a2NCNVBnLVJNTUlyN3YwLUhpRGFTaUltZWcifQ.ufH9vFCRGtJuctWdNDxcHaEbxbdAP_2vukeAzGNIofF-CATqp2gkBmwpOs0Fp75opYrslImoevGiUJ5DlbFiheyhL9N1rSTEPy2TmRgl8bd4_liJQVpp-yevH9eTyqsQkELkyCS-e0KGWeTcPfXe7PGQMwkneuiHGDLxNxyxVPg1qMXdApDdmLbIzoIxHDOIRA6eCR6uAwwOjgz3piJs8qLiBgykuTweE-zR1gSjQV-rPJknuf-GsntwwVCa3IwFA89tT9X_oh2bJQGhinFyHFvLclEWTCNU0ArFBkcZ6m9ez24r2WwflsBQFQw-lPfQ0DNuck33Op0c5VLbvQk8xw"
}

Access token

Token validity

  • access_token validity 3 minutes
  • access token is intended to be reused until the time of it's expiration
  • excessive requests to obtain a new access token may result in a status response 429 Too Many Requests

Request Access token

curl --location --request POST 'https://api-gateway.kb.cz/oauth2/v2/access_token' \
--header 'x-correlation-id: 9f1670dd-db08-4cbb-aa31-ac0454b42657' \
--header 'apiKey: 3a7f779a-8cc1-364f-be2b-9ea161f63817' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'redirect_uri=https://app.kifli.cz/callback' \
--data-urlencode 'client_id=Kifli-1635' \
--data-urlencode 'client_secret=Xe-_BCRf9mi7uyEzIQiLGA' \
--data-urlencode 'refresh_token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3RjJTa1I3NWMxamZsZ1VIOWJ6Wno3Tzllemc9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJBUElJRD01MmYwNDgyNjM3OTM0ZGZmOWY5MjE1MTBhMjlhMWYwYSIsImN0cyI6Ik9BVVRIMl9TVEFURUxFU1NfR1JBTlQiLCJhdXRoX2xldmVsIjo2LCJhdWRpdFRyYWNraW5nSWQiOiJlYzU5NDNjZi00ZGE4LTQ3ZDQtYjJmOS05ODNkMmQyYzE4MjEtMTU1ODg3MTgiLCJpc3MiOiJodHRwczovL2NhYXMua2IuY3o6NDQzL29wZW5hbS9vYXV0aDIiLCJ0b2tlbk5hbWUiOiJyZWZyZXNoX3Rva2VuIiwiYXV0aE1vZHVsZXMiOiJQYWFUfFBpY2tlcnxSZXF1ZXN0QmluZGVyfENhYXNBZGFwdGl2ZSIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6IkFRNzBZcFduekpKTmFnc1h4S3BucmoxVWd3NCIsImF1ZCI6IktpZmxpLTE2MzUiLCJhY3IiOiIwIiwibmJmIjoxNjIzNzU3NDM0LCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwic2NvcGUiOlsiYWRhYSJdLCJhdXRoX3RpbWUiOjE2MjM3NTczOTIsInJlYWxtIjoiLyIsImV4cCI6MTY1NTMxNDM2MCwiaWF0IjoxNjIzNzU3NDM0LCJleHBpcmVzX2luIjozMTU1NjkyNiwianRpIjoiNVhtYW4zbzNIb2lnaFlZZjJWS3RjRmNwUzZBIn0.0PbCum-UPt3E2Bq0xpvGB4LX29fLntiqeJP-lxpSSHt0fSEv_PmSkME19mpRaEod_grkWLtmnapphd2g2olQ_VeiRqYY_0v67De-D43E_tPm8Ei1dV_VBrqR0TJLtzLGRm8Gd7FtvSwNzc8Us3HyHlxU4yJfqCFTeln5xZzowgJ1kOLpUsG7BIClRyHvQwUAncPYF2Rx90_2IkW3Q18IIROSoA8CUajq18Yw8ulfFsMQ0xM_XB5aiUXnENUQYssSZTRL3xk5CTnm9F0I_p-u0Fa51l_Z-TU7CN5maKxJYETjFgMEa_dewSQ2x7AQoqC2LSrLggN0oHHlNyEJ_wP8rQ' \
--data-urlencode 'grant_type=refresh_token'

Response Access token

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3RjJTa1I3NWMxamZsZ1VIOWJ6Wno3Tzllemc9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJBUElJRD01MmYwNDgyNjM3OTM0ZGZmOWY5MjE1MTBhMjlhMWYwYSIsImN0cyI6Ik9BVVRIMl9TVEFURUxFU1NfR1JBTlQiLCJhdXRoX2xldmVsIjo2LCJhdWRpdFRyYWNraW5nSWQiOiJmZjhkZTdlNy0xMGMxLTRiNzctYmY3Yy0xY2ZkMzYzMDI5MjItMzAyMzg4NzEiLCJpc3MiOiJodHRwczovL2NhYXMua2IuY3ovb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6IjF1bzJ1ZHNjS0dLSWQwVjFFT2ZzRW1sUUtQcyIsImF1ZCI6IktpZmxpLTE2MzUiLCJuYmYiOjE2NTUzNzczNTUsImdyYW50X3R5cGUiOiJyZWZyZXNoX3Rva2VuIiwic2NvcGUiOlsiYWRhYSJdLCJhdXRoX3RpbWUiOjE2NTUzNzcyNzMsInJlYWxtIjoiLyIsImV4cCI6MTY1NTM3NzUzNSwiaWF0IjoxNjU1Mzc3MzU1LCJleHBpcmVzX2luIjoxODAsImp0aSI6IjVqN0d3U1ZWcXlzU0NoX1hoQmxMaUxTTV9MRSIsImNhYXNPcGVyYXRpb25JZCI6IjUyNzYyMTc3NmRiODQ0MTg5MGJjM2MzM2RkZjYzYmVlIn0.Dy_60fOTOclbNVR4gUybTV8XDdcyXxqZoQGoRZq5Ou0PDgJiDcYxKIUMvNQqtW06kEVgCCCvTzrwiVH8ArteCWGMBQnjANwgSm8LB8567tzKN4NxAar3TXSd55ZrDhbk1SbzJyaDnj9qMsIMf9a1u4H6JMeyAGA1MK6XehsJ70dZzN_R6YaB3hG5iMxUG_-z-_cTWs29rPAoFbRUGKuSzaXRyefmiS-pJXgshfoey4YF6swyI3K-MalkzgW1WzGxn7vRwjeQ5VyxNsDsygsjJ90qgcHNqvdglCyWAasMxxqE6CgfVv4J7Ym0fnu9HK0QyPNaUlQNwZ0QeXfSPBSFrg",
  "scope": "adaa",
  "token_type": "Bearer",
  "expires_in": 179
}

How to prolong refresh_token?

  • after expiration refesh token, you can call authrozation to get new refresh token for next 12 months
  • tt is not necessary to register a new application if it is the same KB client that registered the application

Continue to Accounts...

Clone this wiki locally