Oauth2 Client credentials flow
Oauth2 Client Credentials flow is the most direct form of authentication. The Client Credentials must be treated confidentially and must not be disclosed to third parties.
Guidelines
The following guidelines apply:
- The Client Credentials are not accessible by or visible to the user.
- The code is not plainly accessible in a public downloadable binary.
- The Client Cedentials consist of two fields:
- Client ID: XXXXXXXXXXXX
- Client Secret: XXXXXXXXXXXXXXXXXXXXXXXXX
JSON web token
After registration, the Client Credentials are provided per application by email.
These Credentials can be exchanged for a JWT (JSON web token), which can then be used to communicate with the APIs. This takes place via the OAuth2 Client Credentials flow. Read more about this in Okta's documentation.
This JWT is an encrypted JSON message. To inspect the contents and learn more about this token, please visit www.jwt.io.
The URL with which credentials can be exchanged for a JWT is included in the configuration files of the authentication server:
Staging: https://idm.staging.floriday.io/oauth2/ausmw6b47z1BnlHkw0h7/.well-known/oauth-authorization-server
Live: https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7
Configure token endpoint
Please note that depending on the OAuth library that you use, you have to either:
- Configure the token endpoint directly (https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7/v1/token) or
- Use the address of the authorization server itself (https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7/)
Using the JWT-token
The obtained JWT has to be included with every API call in the Authorization HTTP header, preceded by 'Bearer'.
By using the API-key alongside the JWT-token, the user's data can be accessed.
The implementation will then look as follows:
More information can be found here: https://developer.okta.com/docs/guides/implement-client-creds/overview/
Validation
By executing the following requests, one can easily validate if the authentication properly works.
First request a token. Replace the CLIENT_ID and CLIENT_SECRET placeholders with your personal values.
curl --location --request POST 'https://idm.staging.floriday.io/oauth2/ausmw6b47z1BnlHkw0h7/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=##CLIENT_ID##' \
--data-urlencode 'client_secret=##CLIENT_SECRET##' \
--data-urlencode 'scope=role:app catalog:read sales-order:write organization:read supply:read supply:write sales-order:read delivery-conditions:read fulfillment:write fulfillment:read'
With the returned access token try to GET all organization belonging to the account identified by the API-Key.
For suppliers:
curl --location --request GET 'https://api.staging.floriday.io/suppliers-api-{version}/auth/key' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##
For customers:
curl --location --request GET 'https://api.staging.floriday.io/customers-api-{version}/identities' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##
If you're not getting a 200 response, please review your request or contact a Floriday Implementation Consultant.
Updated 10 months ago