OK, just gave a quick try to this using Postman and used a POST to https://api.codeproject.com/Token with my CP username, password and password as grant_type in x-www-form-urlencoded as you (and in the OAuth documentation) suggested, but it's returning a 400 Bad Request - "invalid_client" response. However, same POST to https://api.codeproject.com/ seemed to be working as it returned some "valid" HTML.
I will give it a try again. However, I would like to share an observation -
If I login into the API manually through a browser and capture the access token by running a sample under the My API, not only I can use it for both the APIs, it seems to be lasting quite some long time. As far as I can see, I can still make requests to the API using the access token I captured yesterday (almost 12-14 hours).
Can you please enlighten this behavior? I mean the lifetime of such access tokens? Even if they are lasting for a couple of days, I can make the access token configurable in my application (as it will be only for personal use) and replace it manually bypassing these OAuth steps through the application.
Please let me know, thanks again for the API.
Whether I think I can, or think I can't, I am always bloody right!
I needed to turn on the Resource Owner flow. I've done that and added a sample that should get you going.
The Access Token has a limited lifetime, currently 14 days. This will change once I implement Refresh tokens and a way to quickly invalidate Access Tokens. Because of this, check for 401 responses, and get a new Access Token if you get one.
There are some security issues with creating a permanent Access Token. That being said, if we can invalidate it on the server, there is a valid Use Case for them. We will toss this into the hat.