visual-recognition

Unable to generate refresh token for IBM Visual Recognition API

I am trying to work with IAM token based authentication. I am able to generate 'access token' and could do operations using the 'access token'. Now I am having issue while generating 'refresh token'. I am following this link https://cloud.ibm.com/docs/services/watson?topic=watson-iam.

I am using below command to generate refresh token. Here Authorization header value obtained using username as 'apikey' and value as my key. {refreh-token} value I am using which I received while generating 'access token'.

curl -k -X POST --header "Authorization: Basic Yng6Yng=" --data-urlencode "grant_type=refresh_token" \ --data-urlencode "refresh_token={refresh-token}" "https://iam.bluemix.net/identity/token"

I expect to get refresh token but get error {"context":"requestId":"021c3482...""},"errorCode":"BXNIM0507E","errorMessage":"For OpenID Connect related APIs, you need to send your client credentials as basic authorization header"}

Can some one help me in understanding what is going wrong

Solution

  • The description in https://cloud.ibm.com/docs/services/watson?topic=watson-iam is incorrectly describing the refresh case. I will follow-up with the docs team to update that section. This is the generic description how to get tokens for API keys: https://cloud.ibm.com/docs/iam?topic=iam-iamtoken_from_apikey

    For API usage, IBM Cloud allows you to generate access token's without providing a client id / secret. In this case, a default client id is assumed which is only allowed to create tokens for API keys, but not authorized to use any other grant type - including the grant_type refresh_token. Therefore, simply dismiss the refresh token from the response of the API key grant in the first call - you won't be able to use it.

    In the API key use case, there is no benefit of using the grant_type refresh_token over getting a new access token with the API key grant type anyway - all validation steps that are done internally (does the user stil exist / is the user still in the account / ...) are identical. But the refresh token eventually will expire - the API key not.