Resource Owner Password Flow

Due to the fact that the Resource Owner Password (ROP) Flow requires the application to handle the user's password, it is not recommended for third-party clients to use.

Check the RFC6749 for a detailed flow description. This flow is intended for applications that should run unattended and no other authorization flow can be used. Only client ids that are enabled for the use of this authorization flow can be used. Only users credentials that are directly stored in the ezeep Blue ID Server can use this flow (i.e. no 3rd party authentication will be accepted).

Getting Access Token using Username and Password

Use this step only as an start/fallback procedure to initially retrieve a valid access and refresh token or in case of a refresh token that got lost or became invalid. There may be limitations or delays imposed on the usage of the API call.

POST https://account.ezeep.com/oauth/access_token/

Supported attributes:

Attribute	Type	Required	Description
`Authorization`	HTTP Header	Yes	Basic {{base_64_encoded_client_id}}
`Content-Type`	HTTP Header	Yes	`application/x-www-form-urlencoded`
`grant_type`	string	Yes	`password`
`scope`	string	No	`printing` (space seperated scope list)
`username`	string	Yes	the user name of credentials
`password`	string	No	the password of credentials

If successful, returns HTTP status code and the following response attributes:

Attribute	Type	Description
`access_token`	string	the access token that is required in Authorization header of API requests
`token_type`	string	for ezeep Blue always “Bearer”, has to be passed in Authorization header
`expires_in`	int	validity time in seconds of the access token
`scope`	string	scope(s) of token
`refresh_token`	string	refresh token, to be used for getting an new access token

Example Request

curl -L -X POST "https://account.ezeep.com/oauth/access_token/" \
     --header "Authorization: Basic bm9Y...hhcg==" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "grant_type=password" \
     --data-urlencode "username=user@test.de" \
     --data-urlencode "password=secretPw" \
     --data-urlencode "scope=printing"

Example Response

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FjY291bnQu...u0oEBY34y2Im39-l6PtCEHXor3xEpnBKAOPh72QQ",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "printing",
  "refresh_token": "F2UuSA...zrhg15MA"
}

The access_token will be valid for 3600 seconds (i.e. 1 hour) and after that duration you have to request new access token using the refresh token that you received in the access token response.

Use Refresh Token

You can use the refresh_token to get a new access_token. Usually, a user will need a new access_token only after the previous one expires or when gaining access to a new resource (with extended/different scope) for the first time. It’s bad practice to call the endpoint to get a new access_token every time you call an API, rate limiting for this endpoint may be applied.

According to RFC7009, a client should revoke the refresh token when no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual refresh token and, if applicable, other refresh tokens based on the same authorization grant. Check the Token Revocation Article or RFC7009 for a detailed description.

To refresh your token, make a POST request to the /oauth/token endpoint in the Authentication API, using grant_type=refresh_token

curl -X POST https://account.ezeep.com/oauth/access_token/

Supported attributes:

Attribute	Parameter Type	Required	Description
`Authorization`	HTTP Header	yes	Basic {{base_64_encoded_client_id}}
`Content-Type`	HTTP Header	yes	`application/x-www-form-urlencoded`
`grant_type`	string	yes	`refresh_token`
`scope`	string	yes	`printing` (space sperated scope list)
`refresh_token`	string	yes	refresh_token obtained by last (token rotation) call to /oauth/access_token

Example Request

curl -X POST "https://account.ezeep.com/oauth/access_token/" \
     --header "Authorization: Basic NzhLWXplWDV3UzhyMEZZejlLZHZOdDl4SE1SQTYxUEpLODBJSHdOajo=" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data "grant_type=refresh_token" \
     --data "scope=printing" \
     --data "refresh_token=qX5HTLt4..."

Example Response

{
  "access_token": "eyJ0eXAiOiJ...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "printing",
  "refresh_token": "vT5GTKk8..."
}

You will need to replace and store the new refresh token securely from the response for future usage.

Switch Organizations

By default access_token log in to the Private organization. Below is the process to switch organizations.

Using the existing access_token, fetch the list of organizations.

GET 'https://account.ezeep.com/v1/organizations/'

Supported attributes:

Attribute	Parameter Type	Required	Description
`Authorization`	HTTP Header	yes	Bearer `existing_access_token`

Example Request shell curl --location 'https://account.ezeep.com/v1/organizations/' \ --header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...' Example Response

{
    "count": 2,
    "next": null,
    "previous": null,
    "results": [
        {
            "id": "3d119e0a-e212-5v23-a4d5-de5820678f27",
            "name": "Private",
            "azure_profile": null,
            "owner": null,
            "roles": [
                "admin"
            ]
        },
        {
            "id": "9d501982-c0ce-1ee2-50f2-562090efff09",
            "name": "Organization X",
            "azure_profile": null,
            "owner": null,
            "roles": [
                "user"
            ]
        }
    ]
}

Now call the refresh_token API using grant_type=switch_organization and also pass the organization_id

POST 'https://account.ezeep.com/oauth/access_token/'

Supported attributes:

Attribute	Parameter Type	Required	Description
`Authorization`	HTTP Header	yes	Basic {{base_64_encoded_client_id}}
`Content-Type`	HTTP Header	yes	application/x-www-form-urlencoded
`grant_type`	Body	yes	switch_organization
`scope`	Body	yes	printing
`refresh_token`	Body	yes	last generated `refresh_token`
`organization_id`	Body	yes	`organization_id` from previous request

Example Request: shell curl --location 'https://account.ezeep.com/oauth/access_token/' \ --header 'Authorization: Basic TVJFekxrSmdjQXZ1OU9RYTdVRkpFTjRFbml...' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=switch_organization' \ --data-urlencode 'scope=printing' \ --data-urlencode 'refresh_token=qm77WJajUQfEv8IM03VmI0vLk1bau8ek' \ --data-urlencode 'organization_id=9d501982-c0ce-1ee2-50f2-562090efff09'

Example Response: json { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...", "token_type": "Bearer", "expires_in": 3600, "scope": "printing", "refresh_token": "qm77WJajUQfEv8IM03VmI0vLk1bau8ek" }

This refresh_token shall be reused later on for further access_token.