Workspace ONE Access APIs using OAuth 2

On my post How to use Workspace ONE Access APIs I showed how to authenticate to the Workspace ONE Access APIs using the HZN cookie. Although using the HZN cookie provides a quick an easy way to do API calls, it may not the best approach in case you need to programmatically interact with Workspace ONE Access using APIs.

Below is an overview on how to use OAuth 2 to authenticate to Workspace ONE Access APIs, using Postman as an API client (www.postman.com).

In order to authenticate to the Workspace ONE Access APIs using OAuth 2, we need to create a Remote App Access Client. Login to the Workspace ONE Access admin console and navigate to Catalog / Settings / Remote App Access.

Click on the Create Client button on the top right. On the Create Client window, select the following:

  • Access Type: Service Client Token
  • Client ID: <name_of_your_service> (in this case I named it API_Connect, but can be something else)

Expand the Advanced option and click the Generate Shared Secret option. Copy the code generated that appears on the Shared Secret field as we will need it later on.

Confirm that the Token Type is set to Bearer and then click the Add button.

Open Postman and create a new POST request with the following URL:

https://<your Access tenant URL>/SAAS/auth/oauthtoken

Under the Authorization tab, select Basic Auth as the Type and then Add the following values:

  • Username: <Client ID> (as defined on Workspace ONE Access, in my case is API_Connect)
  • Password: <Shared Secret> (value copied from Workspace ONE Access)

Under the Body tab, select x-www-form-urlencoded and then add the following key:

  • Key: grant_type
  • Value: client_credentials

Click the Send button on the top right. The response should contain a field called access_token. This is the value that we will use in order to do API requests.

As an example, I will do a GET request to list all the users on Workspace ONE Access. Create a new GET request on Postman with the following URL:

https://<your Access tenant URL>/SAAS/jersey/manager/api/scim/Users

Under the Authorization tab, select Bearer Token and then paste the access_token value (without double quotes) on the Token field.

Click the Send button and verify that you get a 200 response with details of the users of the environment.