Authentication to REST API with OAuth2

Hi, I'm using REST API within a Web Java App to get query results which works great but the next step is to authenticate without having to use user's passwords.

Is using OAuth2 to authenticate, the best way to do it ?

I've tried it and so far I can't get the response that will give me the authorization code to get the access token via Java code. When I try with http requests, it's ok but I have to accept (through oauth2Grant.jsp button), but I am missing something with using it with a Java HttpURLConnection…


0 votes

1 answers




I think there are several others solutions that fit better to your case. As you do not want to add any new user authentication step:

  • if your queries are executed server side on the same host, the easiest way is to use nuxeo-platform-login-portal-sso. A simple query header with a shared secret and the authenticated username.

  • if your queries are server side without a DMZ, you have to sign the request to ensure it goes safe. In this case i'll recommend you to use Oauth1 2 legged. Take a look to this jersey client filter to see how to handle it:

  • if your queries are client <-> server, you can use nuxeo-platform-login-token, when authenticating a user; you'll ask Nuxeo to give you a token that you'll add to each user requests.

0 votes

Hi, thanks for the answer. The suggestion #1 (nuxeo-platform-login-portal-sso) is interesting because I'm already using it with Automation API to get a session.

I was wondering if i could use it with a HttpURLConnection for a REST API request (…/nuxeo/api/v1) - JSON request, but I didn't know how to integrate it for the connection authorization. I'm going to look further, any hints ?



Even if I recommend you to use something easier to handle HTTP request; like jersey-client, to query our REST API, you just need to:

  • Add expected headers
  • Ensure you have the right authentication plugin in your chain

See below this well documented page:


Where can we find some documentation about using nuxeo-platform-login-token from a client application ?