Get Access Tokens

You will need to request an access token to be able to use the Harbor API’s.
Different scopes are required to communicate with the different API’s:
- The scope service_provider is required to communicate with the service provider API: https://api.harborlockers.com/docs, the resulting token it is meant to just your backend application.
- The scope tower_access it’s for the SDK to be able to communicate with the SDK API https://api.harborlockers.com/sdk/docs . So you need to send this token to your mobile application.
The URL to request our access tokens it is https://accounts.harborlockers.com/realms/harbor/protocol/openid-connect/token for production or https://accounts.sandbox.harborlockers.com/realms/harbor/protocol/openid-connect/token for sandbox.
You can use two authentication flows to request the access token to access our API’s.
First, the recommended approach for backend to backend communication:

Client credentials flow

For this we’ll select the client_credentials grant type. Let’s get an access token for our backend application, with scope service_provider

 $ curl -X 'POST' \
'https://accounts.harborlockers.com/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=service_provider&client_id=your_client_id&client_secret=your_client_secret'

the response it is something like:

{
    "access_token": "eyJhbGcMj...",
    "refresh_token": null,
    "refresh_expires_in": 0,
    "expires_in": 300,
    "token_type": "Bearer"
}

Now we can use the Harbor API! let’s hit the test-token endpoint:

$ curl -X 'POST' \
'https://api.harborlockers.com/api/v1/login/test-token' \
-H 'accept: application/json' \
-H 'Authorization: Bearer eyJhbGcMj...' \
-d ''

Perfect! Now you are able to use all endpoints of the Harbor API.

Now to get a mobile SDK token the flow is the same but request scope tower_access insted of service_provider.

 $ curl -X 'POST' \
'https://accounts.harborlockers.com/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=tower_access&client_id=your_client_id&client_secret=your_client_secret'

Great you can send this token to your mobile application!

Resource Owner Password Flow

Alternativaly you can use the password grant type and include the user credentials too.

 $ curl -X 'POST' \
'https://accounts.harborlockers.com/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=password&scope=service_provider&client_id=your_client_id&client_secret=your_client_secret&username=your_email@mail.com&password=you_password'

the response it is something like:

{
    "access_token": "eyJhbGciO...",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGci...",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "302d9a...",
    "scope": "email service_provider"
}

Now we can use the Harbor API! Let’s hit the test-token endpoint:

$ curl -X 'POST' \
'https://api.harborlockers.com/api/v1/login/test-token' \
-H 'accept: application/json' \
-H 'Authorization: Bearer eyJhbGciO...' \
-d ''

And to refresh the token you need to use the grant_type refresh_token

 $ curl -X 'POST' \
'https://accounts.harborlockers.com/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&client_id=your_client_id&client_secret=your_client_secret&refresh_token=eyJhbGci...'

And you will have again an access and refresh token.

Now to get a mobile SDK token request scope tower_access instead of service_provider and the client_credentials grant type.

 $ curl -X 'POST' \
'https://accounts.harborlockers.com/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=tower_access&client_id=your_client_id&client_secret=your_client_secret'