Implementing REST OAuth Token v3
Sebastian Bessonart | July 2021
Access token and OAuth protocol
An access token is a very small piece of code that contains security credentials for a login session. Information about the user, privileges, group, and timeframes is embedded within one token that passes from a server to a user’s application or website.
OAuth is the REST open standard framework that allows an application or service to obtain limited access to a protected HTTP source.
What Is OAuth Token Create REST API
The OAuth Token Create API is Sabre method to generate an ATK access token (Sessionless token) that allows customers to access REST API portfolio. Once a token is generated, Sabre keeps the session opened for 7 days (604800 seconds).
We recently released OAuth Token v3, that introduces Client ID (client_ID and client_secret) parameter as an addition to user credentials (EPR/PCC and Password) .
What is Client ID
Client ID is a new parameter used to track customer APIs traffic per application. Customers using multiple applications will benefit from this new feature as it allows to easily individualize the traffic generated from each of them.
Once implemented, Client ID propagates to all additional APIs and does not need to be integrated again.
Adopting the Client ID into your application enables Sabre to gather better insights for faster troubleshooting and support through:
- Ability to trace traffic to Sabre by customer and application
- Ability to trace types of Sabre APIs being called
- Ability to communicate quicker and more accurately to customers
You can find additional information about Client ID and its benefits here.
If you are not familiar with some concepts mentioned in this article like EPR, IPCC, etc. you can find detailed information here.
How to obtain a Client ID and Client Secret:
This is a very simple process, Webservices subscribers can request Client ID/Client Secret through their accounting teams.
How to setup OAuth V3 method:
As per OAuth specifications the recommendation is to define Client Credentials in the header and User Credentials in the body. For this example, we imported the yaml file to Postman client application to generate the OAuth Token Create REST API method and filed the parameters based on the above recommendation. The steps are the following:
A – Import the API as a new project
- copy the link from Dev Studio OAuth Token Create REST API page
- click on “Import”
- click on the “link” tab
- paste the URL in the text box
- click on “Continue”
This will create a generic request as shown below:
B - Now we need to fill the values based on our own credentials:
To define client credentials in the header, add the Content-Type and the Authorization.
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
Quick note: the above “authorization value” M0NER*****************ZBVEtN is the result of encoding client_id:client_secret as described below:
Steps | Description | Format |
Step 1: Build your Client ID | Build your "Authorization" header following the standard basic authentication pattern. | clientId:clientSecret |
Step 2: Base64-encode your clientId/clientSecret pair | Use a base64 encoding tool to encode your Client ID from step 1. | Y2xpZW50SWQ6Y2xpZW50U2VjcmV0 |
Keep in mind that in v2 this process is different, credentials are encoded in 2 steps (User and pass separately and then re-encoding the result).
C – Defining User Credentials In the body:
grant_type: password
username: EPR-PCC-AA
password: EPR_password
I hope you find the above information useful. If you have any questions or want to learn more about Client ID, please visit the Client ID guide.