Access Token

Request Token

Overview

Service to note: 3 Legged Authentication

OAuth 2.0 Native Flow is a Concur implementation of the 2-legged OAuth authorization flow and allows Clients to securely gain access to resources that are not normally exposed. When implementing the Native Flow, a partner application accesses the resources of a given user without user involvement. The partner application sends the user's Concur credentials to the Concur authorization server on behalf of the user. The resources are exposed via the access token.

Description

An access token is a long-lived token used to make authorized API calls.

Request

  • URI : https://{InstanceURL}/net2/oauth2/accesstoken.ashx
  • HTTP Method : GET

Make a GET request to the access token endpoint. The request must contain two headers:

  • An authorization HTTP header that includes the Concur credentials (Login ID and password) of the user requesting access in the HTTP Basic Authentication format. The LoginID:Password string must be Base-64 string encoded. It must be formatted as indicated below, starting with the word Basic. If no password is used, the user name must still end with a colon.
  • A header specifying the Consumer Key for the partner application.

Format:

GET https://{InstanceURL}/net2/oauth2/accesstoken.ashx

Authorization: Basic {Base64 String encoded LoginID:Password}

X-ConsumerKey: {Plain Text Consumer Key}

Example Request:

GET https://www.concursolutions.com/net2/oauth2/accesstoken.ashx

Authorization: Basic GHJHDIU38JKSHJ3SAD0A8FN7EF=

X-ConsumerKey: hj7683jslks93lalkjss93

Response

The response body will contain an XML payload containing the following elements:

  • Instance_URL: Identifies the Concur datacenter; developer should use this URL as a prefix in subsequent API calls.
  • Token: The access token value passed in the Authorization header when making API calls.
  • Expiration_Date: The date and time, in Coordinated Universal Time (UTC) when the access token expires.
  • Refresh_Token: Used to request a new access token; must be used before token expires.

Format:

<Access_Token>
<Instance_URL>STRING</Instance_URL>
<Token>STRING</Token>
<Expiration_Date>STRING</Expiration_Date>
<Refresh_Token>STRING</Refresh_Token>
</Access_Token>

Example Response:

<Access_Token>
<Instance_URL>https://www.concursolutions.com</Instance_URL>
<Token>fdjhk2382kwkajsklwe8i3932kslswl</Token>
<Expiration_Date>1/01/2015 2:00:00 PM</Expiration_Date>
<Refresh_Token>8ew$sefhj7s62ns94376nsjd62s</Refresh_Token>
</Access_Token>

Refresh Token

Overview

Concur allows for the reuse of an access token by refreshing the token before it expires. A refresh token is a special kind of token that can be used to obtain a renewed access token at any time. Refresh tokens must be stored securely by an application because they essentially allow a user to remain authenticated forever.

Description

Refresh access token is a long-lived token used to reauthorize a valid token for an additional year.

Request

  • URI : https://{InstanceURL}/net2/oauth2/getaccesstoken.ashx
  • HTTP Method : POST

Parameters:

The request will require the following query parameters:

  • Token: A valid access token to be used in the call.
  • Refresh_token: The refresh token of the token you wish to refresh.
  • Client_id: The Consumer Key that is associated to the token.
  • Client_secret: The Secret Key that is associated to the token.

Format:

POST https://{InstanceURL}/net2/oauth2/getaccesstoken.ashx?
refresh_token={RefreshToken}
&client_id={ConsumerKey}
&client_secret={ConsumerSecret}

Authorization: OAuth {Token}

Example Request:

POST https://www.concursolutions.com/net2/oauth2/getaccesstoken.ashx?
refresh_token=xknnh1o2rehXOcb2QBNTGReip6ZijUe
&client_id=nGVqYElrG7AmuUTMQAO8gl
&client_secret=3LyBUx4Z95dCSlKjd74ThfHeuQkFilTN

Authorization: OAuth GHJHDIU38JKSHJ3SAD0A8FN7EF=

Response

The response body will contain an XML payload containing the following elements:

  • Instance_URL: Identifies the Concur datacenter; developer should use this URL as a prefix in subsequent API calls.
  • Token: The access token value passed in the Authorization header when making API calls.
  • Expiration_Date: The date and time, in Coordinated Universal Time (UTC) when the access token expires.

Format:

<Access_Token>
<Instance_URL>STRING</Instance_URL>
<Token>STRING</Token>
<Expiration_Date>STRING</Expiration_Date>
</Access_Token>

Example Response:

<Access_Token>
<Instance_URL>https://www.concursolutions.com</Instance_URL>
<Token>fdjhk2382kwkajsklwe8i3932kslswl</Token>
<Expiration_Date>1/01/2015 2:00:00 PM</Expiration_Date>
</Access_Token>

Revoke Token

Overview

When users request their data from within the external application, they are authenticated using an access token. You can revoke these tokens using the revoke token web service. Either revokes a single access tokens and its refresh token or all related tokens for a given user. Because a refresh token never expires, it is important to provide a way to revoke a token permanently.

Description

Revoke an access token to eliminate the ability to use or refresh the token.

Revoke Single Token

Request

  • URI : https://{InstanceURL}/net2/oauth2/revoketoken.ashx
  • HTTP Method : POST

Parameters:

The request will require the following query parameters:

  • Token: The access token of which you wish to revoke all current and future access.

Format:

POST https://{InstanceURL}/net2/oauth2/revoketoken.ashx?token={Token}

Authorization: OAuth {Token}

Example Request:

POST https://www.concursolutions.com/net2/oauth2/revoketoken.ashx?token=fdjhk2382kwkajsklwe8i3932kslswl=

Authorization: OAuth fdjhk2382kwkajsklwe8i3932kslswl=

Response

The response will be HTTP Code 200

Revoke All Tokens

Request

  • URI : https://{InstanceURL}/net2/oauth2/revoketoken.ashx
  • HTTP Method : POST

Parameters:

The request will require the following query parameters:

  • Token: A valid access token to be used in the call.
  • ConsumerKey: The access token of which you wish to revoke all current and future access.
  • User: The login Id of the token owner.

Format:

POST https://{InstanceURL}/net2/oauth2/revoketoken.ashx?consumerKey={Consumer Key}&user={User}

Authorization: OAuth {Token}

Example Request:

POST https://www.concursolutions.com/net2/oauth2/revoketoken.ashx?
consumerKey=fdjhk2382kwkajsklwe8i3932kslswl
&user=LoginId%40Example.com

Authorization: OAuth GHJHDIU38JKSHJ3SAD0A8FN7EF=

Response

The response will be HTTP Code 200


Last Update: 06/2016


About Concur

Concur Blog

Contact




Concur is a leading provider of integrated travel and expense management solutions. More

  • 601 108th Ave NE, Suite 1000
  • Bellevue, WA 98004 USA
  • Phone: 800 401 8412
  • Fax: 425 590 5999

2016 © All Rights Reserved.

Privacy Policy

|

Terms of Use

|

API Deprecation Policy