Authenticate using OAuth 2.0 (2024)

OAuth 2.0 enables the safe retrieval of secure resources while protecting user credentials. Some apps may need to authenticate during the configuration phase and others may need OAuth only when a user invokes a service.

In general, OAuth authentication follows a six step pattern:

An application requests authorization on a user's behalf.
The application obtains a Grant Token.
The client requests an access token by using the Grant Token.
The authorization server validates the Grant Token and issues an Access Token and a Refresh Token.
The client requests the protected resource, authenticating using the Access Token.
The resource server verifies the Access Token and serves the request.

Learn more about the OAuth 2.0 Specifications.

In this topic:

Authenticate using OAuth 2.0

Eloqua OAuth 2.0 endpoints:

To authenticate using OAuth 2.0

To authenticate using an authorization code grant:
To authenticate using an implicit grant:
To authenticate using a resource owner password credentials grant

Troubleshooting error messages

401 Unauthorized
Too Many Requests

Eloqua OAuth 2.0 endpoints:

Authorization endpoint: https://login.eloqua.com/auth/oauth2/authorize

Token endpoint: https://login.eloqua.com/auth/oauth2/token

Note: The following examples assume that all requests are successful. For a detailed description of possible request responses, including a variety of failure types, see: the OAuth Reference.

To authenticate using OAuth 2.0

Eloqua supports three possible flows that an application can use to obtain access on behalf of a resource owner: Authorization Code grant, Implicit grant, Resource Owner Password Credentials grant. In general, youshould use the Authorization Code grant for Apps that extend Eloqua's functionality.

Important: Before you begin, you need a unique Client ID and Client Secret for your app. In your Eloqua instance navigate to Settings > AppCloud Developer then select Create New App. Learn more about AppCloud app creation. Fill out the required information and enter your app's URL into the Callback Url field under the OAuth heading then click Save. You should then be presented with valid Client Id and Client Secret values.

To authenticate using an authorization code grant:

Request initial authorization through the login.eloqua.com/auth/oauth2/authorize endpoint. A call to this endpoint will trigger a prompt for users to enter their credentials.

/auth/oauth2/authorize has five possible URL parameters:

Parameter	Value	Required?
`response_type`	Must be "`code`"	Yes
`client_id`	Your app's Client Id provided when registering your app (see above)	Yes
`redirect_uri`	Your app's registered redirection endpoint, should be the same URL you entered as the Callback Url when registering your app (see above)	Yes
`scope`	Must be “`full`” or not supplied	No
`state`	An optional value that has meaning for your App	No

The call to the authorize endpoint might resemble:

https://login.eloqua.com/auth/oauth2/authorize?response_type=code
&client_id=a1b2c3d4&redirect_uri=https://client.example.com/cb
&scope=full&state=xyz

Once users enter their credentials and accept your app's request to access Eloqua on their behalf, they are redirected to theredirect_uri with a Grant Token (which is in this case an Authorization Code) attached in the code URLparameter, as in the following example:

HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

Use the Grant Token to obtain an Access Token and Refresh Token using a POST request to the login.eloqua.com/auth/oauth2/token endpoint.

The POST request should include a JSON body with thefollowing parameters:

Parameter	Value	Required?
`grant_type`	The name of the Grant Token's type. In this case: `authorization_code`	Yes
`code`	The Grant Token	Yes
`redirect_uri`	Your app's registered redirection endpoint	Yes

The following example call requests an Access Token and a Refresh Token token using the Grant Token obtained previously:

POST https://login.eloqua.com/auth/oauth2/tokenAuthorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM={"grant_type":"authorization_code","code":"SplxlOBeZQQYbYS6WxSbIA","redirect_uri":"https://client.example.com/cb"}

Note: This request must authenticate using HTTP basic. Use your app’s Client Id as theusername and its Client Secret as the password. The format is client_id:client_secret. Encode the string with base-64 encoding, and you can pass it as an authenticationheader. The system does not support passing Client Id and Client Secret parameters inthe JSON body, and, unlike basic authentication elsewhere, you should notinclude your site name. Learn more about basic authentication with Eloqua.

The authorization server validates the authorization code and if valid responds with a JSON body containing the Access Token, Refresh Token, access token expiration time, and token type, as in the following example:

HTTP/1.1 200 OKContent-Type: application/json {"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"bearer","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"}

Store and use the access and refresh tokens.
When your app needs a protected resource, it authenticates duringthe request using the Access Token. The following call to Eloqua's application API uses the access tokento authenticate:
```
GET /resource/1 HTTP/1.1Host: api.eloqua.comAuthorization: Bearer 2YotnFZFEjr1zCsicMWpAA
```
api.eloqua.com verifies the Access Token, and supplies the requested resource if the access token is valid.
Note:
- Authorization Codes expire in 60 seconds (intended for immediate use)
- Access Tokens expire in 8 hours
- Refresh Tokens expire in 1 year
- Refresh Tokens will expire immediately after being used to obtain new tokens, or after 1 year if they are not used to obtain new tokens
If the access tokenhas expired, you should send your Refresh Token tologin.eloqua.com/auth/oauth2/token to obtain new tokens as in the following example:
```
POST https://login.eloqua.com/auth/oauth2/tokenAuthorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 {"grant_type":"refresh_token","refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","scope":"full","redirect_uri":"https://client.example.com/cb"}
```
If the request is successful, the response is a JSON body containinga new access token, token type, access token expiration time, and new refresh token:
```
HTTP/1.1 200 OK Content-Type: application/json{"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"bearer","expires_in":3600,"refresh_token":"MToxLUIyZHRNTUZsazIwNmZFTy1"}
```
Store the new refresh token as the old refresh token is no longer valid. Then proceed to make your call using the newaccess token.

To authenticate using an implicit grant:

An implicit grant is a browser-based authentication best used for in-browser applicationsand instead of issuing an authorization code that is exchangedfor an access token, Eloqua issues an access token directly.

Warning: An authorization code grant is recommended in the vast majority of cases as it has fewer potentiallynegative security implications.

Request an access token through a GET request to the login.eloqua.com/auth/oauth2/authorize endpoint using the following URLparameters:

Parameter	Value	Required?
`response_type`	Must be "`token`"	Yes
`client_id`	Your app's Client Id provided when registering your app (see above)	Yes
`redirect_uri`	Your app's registered redirection endpoint, should be the same URL you entered as the Callback Url when registering your app (see above)	Yes
`scope`	Must be “`full`” or not supplied	No
`state`	An optional value that has meaning for your App	No

The call to the authorize endpoint might resemble:

https://login.eloqua.com/auth/oauth2/authorize?response_type=token
&client_id=s6BhdRkqt3&redirect_uri=https://client.example.com/app
&scope=full&state=xyz

Once users enter their credentials and accept your app's request to access Eloqua on their behalf, they are redirected to theredirect_uri with an authorization code attached in the access_token URL parameter, as in the following example:

HTTP/1.1 302 Found Location: https://client.example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer&expires_in=28800&state=xyz

Use the access token to request resources on the user's behalf.

To authenticate using a resource owner password credentials grant

With the resource owner password credential grant, the App provides the resource owner's username and password to the authorization server in order to obtain an access token. This grant type is ideal when an app already has the necessary Eloqua user names and passwords stored, and wants to use access tokens for added security.

Obtain an Access Token and a Refresh Token by making a POST request to the login.eloqua.com/auth/oauth2/token endpoint using a JSON body containing the following parameters:

Parameter	Value	Required?
`grant_type`	Must be "`password`"	Yes
`scope`	Must be "`full`" or not supplied	No
`username`	The user's site name and username in the form`sitename` + '`/`' + `username`	Yes
`password`	The user's password	Yes

The call to the token endpoint might resemble:

POST https://login.eloqua.com/auth/oauth2/tokenAuthorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM={"grant_type":"password","scope":"full","username":"testsite\\testuser","password":"user123"}

If the request is successful, the response is a JSON body containing an Access Token, a Refresh Token, the access token expiration time, and token type:

HTTP/1.1 200 OKContent-Type: application/json{"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"bearer","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKW"}

You can then use the Access Token and store the Refresh Token, using the Refresh Token as needed to renew the credentials. Follow steps 3 and 4 of "To authenticate using an authorization code grant" above for more information.

Troubleshooting error messages

401 Unauthorized

401 Unauthorized errors are divided into categories indicated by the 1000s digit of the error_code.

Error code	Description
1000	General error messages.
2000	Error messages related to authentication.
2500	Error messages related to OAuth2 authentication.
3000	Error messages related to authorization.

Here is a list of error messages when submitting requests to the token endpoint login.eloqua.com/auth/oauth2/token.

Error	Error code	Error Description
unknown_error	2500	An unknown error occurred.
unknown_token	2501	Provided token is unknown.
unknown_site_id	2502	Provided site identifier is unknown.
destroyed_token	2503	The supplied refresh token has been destroyed.
expired_token	2504	The supplied refresh token has expired.
invalid_client_secret	2505	The supplied client secret doesn't match the client's secret.
unsupported_site_authentication	2506	The site doesn't support OAuth 2 authentication.
unsupported_user_authentication	2507	The user doesn't support OAuth 2 authentication.
unknown_client_id	2508	The supplied client identifier is unknown.
invalid_redirect_uri	2509	The supplied RedirectUri is invalid.
unknown_error	3000	Unknown authorization error.
account_disabled	3001	User account is disabled.
failed_allowlist_authorization	3002	Failed site IP allow list authorization.
unknown_site_id	3003	The supplied site identifier is unknown.
unknown_authentication_handle	3004	The supplied authentication handle identifier is unknown.
unknown_user_id	3005	The supplied user identifier is unknown.
unknown_security_domain	3006	The supplied users security domain is unknown.
invalid_authentication_handle	3007	The supplied authentication handle is invalid.
invalid_request	3008	The request is invalid.

Too Many Requests

The Eloqua OAuth 2.0 authorization flow initiation will only accept one initiation per minute for any given User of an App.

For Using Code Grant and Using Implicit Grant: When user clicks Accept a Too Many Requests message is returned.

For Password Credentials Grant: The following response will be returned to the request:

HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 60
{
 "error":"too_many_requests",
 "error_description":"This user has already authorized this app within the allowed time frame of 60 seconds."
}

Learn more

Authentication

Get Started

Troubleshooting 400 level errors with OAuth token

AppCloud installation flow

FAQs

How to use OAuth 2.0 for authentication? ›

Obtain OAuth 2.0 credentials from the Google API Console.
Obtain an access token from the Google Authorization Server.
Examine scopes of access granted by the user.
Send the access token to an API.
Refresh the access token, if necessary.

Jul 16, 2024

Read On ›

Why is it a bad idea to use OAuth 2.0 for authentication? ›

The purpose of OAuth2 Tokens is to authorize requests at a first-party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.

Discover More Details ›

How to login using OAuth? ›

Using OAuth 2.0 for Web Server Applications

Step 1: Set authorization parameters.
Step 2: Redirect to Google's OAuth 2.0 server.
Step 3: Google prompts user for consent.
Step 4: Handle the OAuth 2.0 server response.
Step 5: Exchange authorization code for refresh and access tokens.

How do I send an email using OAuth 2.0 modern authentication? ›

Use client id and client secret to request access token

Your application uses a web browser/browser control to open Oauth Url;
User inputs user and password in web authentication page, and then the Oauth server returns access token back to your application;

More items...

See Details ›

What is OAuth 2.0 in layman's terms? ›

OAuth 2.0 enables the resource owner (i.e., the user) to give the client (i.e., the third-party application) access to their data without having to share their credentials. Instead, the credentials are shared with the authorization server, which issues an access token to the client.

Find Out More ›

How does OAuth 2.0 work in Rest API? ›

OAuth 2.0 is a standard for implementing delegated authorization, and authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.

Tell Me More ›

Is OAuth2 obsolete? ›

It states that OAuth 2.0 is deprecated.

Show Me More ›

What is the difference between basic authentication and OAuth2? ›

OAuth uses advanced user identity verification processes and is claimed to have 100% credibility. When the end-user makes an access request, a new token is created. It maintains the dependability of the process. Basic authentication offers no such facility.

Explore More ›

Is OAuth2 authentication or authorization? ›

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data.

Why is OAuth not authentication? ›

Authentication is ignored in OAuth2 and OIDC because it is a separate concern. This allows OAuth2 and OIDC to focus on the nitty gritty details of getting the resource owner to the authorization server as well as generating access and identity tokens.

Show Me More ›

How to pass username and password to OAuth2? ›

When using the username-password flow with an API, create a field in the username and password login screen where users can enter their security token. The security token is an automatically generated key that must be added to the end of the password to log in to Salesforce from an untrusted network.

Read The Full Story ›

How do I create an OAuth 2.0 credential? ›

To create an OAuth 2.0 client ID, do the following steps:

In the Google Cloud console, go to APIs & Services > Credentials. ...
Click + Create Credentials and select OAuth client ID from the list of available options. ...
Appication type: Select Web Application from the drop-down list.

More items...

See Details ›

How to authenticate using oauth2? ›

To authenticate using an authorization code grant:

Request initial authorization through the login.eloqua.com/auth/oauth2/authorize endpoint. A call to this endpoint will trigger a prompt for users to enter their credentials.

Get More Info Here ›

What is OAuth 2.0 client authentication? ›

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

Does Outlook use oauth2? ›

OAuth2 support for IMAP, POP, and SMTP protocols as described below is available for both Microsoft 365 (which includes Office on the web) and Outlook.com users. If you're not familiar with the OAuth 2.0 protocol, see OAuth 2.0 protocol on Microsoft identity platform overview.

How to get authorization code in OAuth2? ›

OAuth2 Authorization Code Flow

Step 1: Create an Authorization Request.
Example Authorization Request.
Step 2: Get Authorization.
Step 3: Get the Authorization Code.
Step 4: Get the Access Token and Refresh Token.
Step 5: Validate the Access Token. ...
Step 6: Add the Access Token to the Authorization Request.

More items...

View Details ›

How to implement OAuth2 in an application? ›

How To Implement OAUTH2 Protocol Into Your Application? Frontend

Obtain credentials. To begin with OAuth 2.0 implementation, you would need to get some data from your authentication provider. ...
Set up the project for the authentication server. ...
Install dependencies (Passport. ...
Configure Express. ...
Initialize Passport.

Jan 17, 2024

Is Google OAuth2 free? ›

For the basic information like name, email and user ID is free for it is within the free tier of Oauth. However, there might be some indirect costs like free tier limits which have a limit on the number of requests you can make. Exceeding these limits might require a paid plan.

Learn More ›