Skip to content

Authentication and Authorization

The OAuth 2.0 client credentials grant flow is preferred to handle the authentication of integration scenarios in IFS Cloud. The flow validates the application credentials - the client ID and the client secret and provides an access token and a refresh token on successful authentication. This access token can then be used to call APIs and get the relevant data as API responses.

Follow the instructions given below to obtain the access token:

Step 1 - Create a Client

Before you Begin

Make sure you have admin privileges in order to create a new client.

  1. In IFS Cloud, navigate to Solution Manager > Users and Permissions > Identity and Access Manager > IAM Client. Alternatively, search for IAM Client in the search bar.

    client_list

  2. Click on the + icon. A pop-up appears to create a new client.

    plus_icon

  3. Fill the values for Client ID and Description in the Basic panel and Username in the User Group panel as shown below.

    Enable Service Accounts and Direct Access Grants in the Basic panel and disable Select from Existing Service Account Users in the User Group panel.

    new_client

  4. Click OK.

A new IAM client is created, and a unique client secret is generated.

Step 2 - Obtain the Token Endpoint

  1. In IFS Cloud, navigate to Solution Manager > Integration > API Explorer.

  2. Select a checkbox corresponding to any API that appears in the list.

  3. From the Documentation dropdown that appears above the list, click API Doc.

  4. Expand the AUTHORIZATIONS section and click on the connect URL.

  5. Search for token_endpoint.

The value of token_endpoint will be used as the request/access token URL to obtain the access token and refresh token in the next step.

Step 3 - Configure a New Token

  1. Access Postman and create a new request.
  2. In the Authorization tab, select OAuth 2.0 as the Type from the dropdown.
  3. Select Client Credentials as the Grant Type from the dropdown.
  4. Fill in the corresponding values obtained from the previous steps for Client ID, Access Token URL, and Client Secret.
  5. Enter the scope as openid microprofile-jwt.
  6. Click Get New Access Token.

postman_auth_tab

The access token and refresh token will appear in a pop-up. You can use this access token to authenticate future requests.

Token Expiry and Obtaining a New Token

The access token obtained in the above step expires after a given time period causing an authorization error in the response as shown below. The expires_in field in the Manage Access Tokens pop-up mentioned in step-3 determines when the access token expires.

not_authorized

A refresh token is generated witih the access token. You can use this refresh token to renew the access token as shown below.

  1. To make sure the error is due to the fact that the token has expired, navigate to the Authorization tab in Postman.

  2. Click on the Available Tokens dropdown.

  3. Select Manage Tokens. The token that you have used in the request should have expired as shown below.

    token_expired

  4. In the same pop-up, copy the value for the refresh_token provided.

  5. Close the pop-up. Open a new POST request, and use the same token endpoint you used to generate the access token previously, as the Request URL.

  6. Navigate to the Body tab and select x-www-form-urlencoded.

  7. Paste the value for the refresh_token that you obtained in step-4 and add the remaining fields as shown below.

    refresh_token

  8. Click Send. The renewed access token will be provided in the response.

Note: The refresh token can also expire. This value is shown in the Manage Access Tokens pop-up as refresh_expires_in.

Alternatively, you can also get a new access token by clicking on Get New Access Token in the Authorization tab.

get_new_token