Oauth2 Client credentials flow

Oauth2 Client Credentials flow is the most direct form of authorization. The Client Credentials must be treated confidentially and must not be disclosed to third parties.

Guidelines

The following guidelines apply:

• The Client Credentials are not accessible by or visible to the user.
• The code is not plainly accessible in a public downloadable binary.
• An API key is required.
• The Client Cedentials consist of two fields:
  • Client ID: XXXXXXXXXXXX
  • Client Secret: XXXXXXXXXXXXXXXXXXXXXXXXX

JSON web token

After registration, the Client Credentials are provided per application by email.

These Credentials can be exchanged for a JWT (JSON web token), which can then be used to communicate with the APIs. This takes place via the OAuth2 Client Credentials flow. Read more about this in Okta's documentation.

This JWT is an encrypted JSON message. To inspect the contents and learn more about this token, please visit www.jwt.io.

The URL with which credentials can be exchanged for a JWT is included in the configuration files of the authorization server:

Staging: https://idm.staging.floriday.io/oauth2/ausmw6b47z1BnlHkw0h7/.well-known/oauth-authorization-server

Live: https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7

🚧

Configure token endpoint

Please note that depending on the OAuth library that you use, you have to either:

• Configure the token endpoint directly (https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7/v1/token) or
• Use the address of the authorization server itself (https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7/)

Using the JWT-token

The obtained JWT has to be included with every API call in the Authorization HTTP header, preceded by 'Bearer'.

By using the API-key alongside the JWT-token, the user's data can be accessed.

The implementation will then look as follows:

More information can be found here: https://developer.okta.com/docs/guides/implement-client-creds/overview/

Validation

By executing the following requests, one can easily validate if the authorization properly works.

First request a token. Replace the CLIENT_ID and CLIENT_SECRET placeholders with your personal values.

curl --location --request POST 'https://idm.staging.floriday.io/oauth2/ausmw6b47z1BnlHkw0h7/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=##CLIENT_ID##' \
--data-urlencode 'client_secret=##CLIENT_SECRET##' \
--data-urlencode 'scope=role:app catalog:read sales-order:write organization:read supply:read supply:write sales-order:read delivery-conditions:read fulfillment:write fulfillment:read'

With the returned access token try to GET all organization belonging to the account identified by the API-Key.

For suppliers:

curl --location --request GET 'https://api.staging.floriday.io/suppliers-api-{version}/auth/key' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##

For customers:

curl --location --request GET 'https://api.staging.floriday.io/customers-api-{version}/identities' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##

If you're not getting a 200 response after these requests, please review your request or contact a Floriday Implementation Consultant.