Skip to main content
Enterprise customers may wish to interact with the WireMock Cloud API from their own clients using OAuth 2.0. WireMock Cloud supports the OAuth 2.0 Device Authorization Flow for these customers.

Requirements

You will need to have requested the creation of a new OAuth Client by WireMock Cloud. You will need to tell us:
  • The maximum time you allow between interactions before the user has to reauthenticate
  • The maximum total time you allow between authentications, eve if the user is regularly interacting

Inputs

  • {client_id}: The OAuth client (in Auth0, the Application id) provided by WireMock Cloud

Initiate the Client

request
returns:

discover_urls

Initiate the Device Authorization Flow

request
returns:

device_authorization

expires_in and interval are values in seconds.

Pass control to the user to authenticate

Something like this should be rendered:
if possible, {device_authorization.verification_uri_complete} should be opened automatically in the user’s browser.

Poll for successful authentication

Every {device_authorization.interval} seconds until {device_authorization.expires_in} seconds have passed you poll as so:
request
You should be returned one of these two responses:
response
which means “poll again in {device_authorization.interval} unless {device_authorization.expires_in} has passed” or

token_response

response
You can then interact with the API using this request header: Authorization: {token_response.token_type} {token_response.access_token}

Refresh Tokens

WireMock access tokens are JWTs, and cannot be revoked. Consequently they are short-lived (sub 10 minutes). In order to avoid having to authenticate regularly, the client may exchange a refresh token (which can be revoked) for a new access token. A refresh token, once used, becomes invalid - a new one is returned along with the new access token. Any attempt to use an invalid refresh token will also invalidate the current valid refresh token, forcing a reauthentication. Refresh tokens can be explicitly revoked on logout.

Exchanging a refresh token for a new access token

request
returns
token_response

Invalidating a refresh token

request