Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

How to implement a token system instead of using credentials to access remote services

Written By

Kanchan Bisht

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Trying to write a custom remote service using Liferay (ServiceImpl file), so which method may be used to authenticate using a token rather than credentials?

Environment

  • Liferay DXP 7.4

Resolution

  • Liferay has Authentication Verifiers that authenticate remote invocations of Liferay Portal’s API in a centralized and extensible way. They have two main responsibilities:
    1. Verify provided credentials using registered AuthVerifier instances
    2. Create portal authorization contexts based on verification results
    Here is the documentation to get more insights into this: Using Authentication Verifiers
    Additionally, Liferay has documentation on creating OAuth2, which might help: creating-oauth2-applications

    OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data.

    OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials.

1. Started DXP server.
2. Navigated to OAuth2 Administration under Control Panel.
3. Added OAuth2 application.

Name: OAuth2
Website URL: http://localhost:8080/
Callback URIs: http://localhost:8080/
Client Authentication Method: Client Secret Post
Client Profile: Headless Server

4. Click Save.
5. Navigated to Scope and checked all 'Portal Services'.
6. Generated the Token for the 'Test' user by executing the following CURL command:

curl -X POST --header "Content-Type: application/x-www-form-urlencoded" "localhost:8080/o/oauth2/token?grant_type=client_credentials&client_id={test-app-clientId}&client_secret={test-app-clientSecret}"

7. A response should be received something like this: {"accesstoken":"c625a7972685aeaf03d721cceeac11e8f917d73df5742f7a61b10278dd7c2c8","tokentype":"Bearer","expires_in":600,"scope":"liferay-json-web-services.everything.read.userprofile liferay-json-web-services.everything.write liferay-json-web-services.analytics.read liferay-json-web-services.analytics.write liferay-json-web-services.everything.read liferay-json-web-services.everything liferay-json-web-services.everything.read.documents.download"}

Once the token has been received, it can be tested with any headless API via Postman

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?