Skip to content

Authentication and Authorization

Introduction

The OAuth 2.0 client credentials grant flow is preferred to handle the authentication of integration scenarios in IFS Cloud. The flow validates the application credentials - the client ID and the client secret and provides an access token and a refresh token on successful authentication. This access token can then be used to call APIs and get the relevant data as API responses.

auth2

The client credential flow is used in cases where there are no graphical end user applications involved. Instead, the application is authenticated in a non-interactive mode using a token endpoint.

Steps to Set Up a Client Credentials Flow

  1. To authenticate a client, obtain their client ID and the client secret.

In order to set up a client registration to be able to use client credentials flow, the following must be true:

  • The client must be a confidential client so that a client secret exists.
  • The client must be set up to allow direct access grants. This enables all the flows that bypass the authorization endpoint.
  • The client must be set up to have service accounts enabled and a service account associated with it. This enables client credentials flow.

For a practical example, see here

  1. Obtain the token endpoint from the APIDoc in IFS Cloud.

For a practical example, see here.

  1. Get a new access token. The Authorization tab in Postman can be used to generate an access token.

The following parameters are used to perform a token request:

  • Grant Type: The value is always client_credentials denoting we are using the client credentials flow.
  • Access Token URL: This is the same as the token_endpoint you obtained in the previous step.
  • Client ID: This is the client name of the IAM client created in IFS cloud.
  • Client Secret: This is automatically generated each time an IAM client is created and can be refreshed in IFS cloud as well.
  • Scope: Use the same scopes as you would for Authorization Code Flow in the request to the authorization endpoint.

For a practical example, see here