Authentication Service
This is the new way of authentication when using Bokbasen's APIs
These services are using this new authentication:
Onix Export API
Object Export API
Onix Import API
Object Import API
DDS API
Bokskya API
Order API
All services requires the client to include a token, acquired from the authentication service. The token will be valid for a limited period of time, but valid for all requests during that time interval. So this is done in two steps:
Authenticate to get a token
Call resource with the token as a header (cache/re-use token as long at is is still valid)
The process uses the Client Credentials Flow (defined in OAuth 2.0), where clientId + clientSecret is used to get an access-token.
Login
URL |
| |
|---|---|---|
Method |
| |
Header |
|
|
Request payload |
| <Your provided clientId> |
| <Your provided clientSecret> | |
| <Your desired audience / dependent on API> | |
|
| |
Response (JSON) |
| Use this token in the header of API-calls |
| Seconds until token will expire | |
|
| |
Returns | 200 | OK |
401 | Unauthorized (might be missing som attributes, or wrong clientId/Secret) | |
403 | Forbidden (might not have access to the given | |
Sample usage - Login
To get a token you have to indicate what audience (what service) you want a token for. See https://bokbasen.jira.com/wiki/spaces/api/pages/3202547747. Here is an example:
Example with json
curl -X POST https://auth.bokbasen.io/oauth/token \
-H 'content-type: application/json' \
-d '{
"client_id":"YOUR-CLIENT-ID",
"client_secret":"YOUR-CLIENT-SECRET",
"audience":"https://api.bokbasen.io/metadata/",
"grant_type":"client_credentials"
}'Example with x-www-form-urlencoded
curl -X POST https://auth.bokbasen.io/oauth/token \
-H 'content-type: application/x-www-form-urlencoded' \
--data-urlencode client_id=YOUR-CLIENT-ID \
--data-urlencode client_secret=YOUR-CLIENT-SECRET \
--data-urlencode audience=https://api.bokbasen.io/metadata/ \
--data-urlencode grant_type=client_credentialsA successful result will be something like this:
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ikd6Vk4wZ044S0pybDBKSWJqSHZhcSJ9.eyJodHRwczovL2Jva2Jhc2VuLmlvL21ldGFkYXRhIjp7fSwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5kZXYuYm9rYmFzZW4uaW8vIiwic3ViIjoiYldReU1IbEJqTGI5TVFCaGVsUFo2emhtYWozdGV0UmJAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vYXBpLmRldi5ib2tiYXNlbi5pby9hcnRpY2xlLyIsImlhdCI6MTY4NDk5NDQ4OSwiZXhwIjoxNjg1MDgwODg5LCJhenAiOiJiV1F5TUhsQmpMYjlNUUJoZWxQWjZ6aG1hajN0ZXRSYiIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyIsInBlcm1pc3Npb25zIjpbXX0.TtqnUwmaaUIQ_qV4VPNobVc9vhbzmeKe_w3zOZtkTp1fgF3SXGsL9NMpTgF1CDpMsLVSA7liKSogwR3bsE_-AV7Dki4PK8upx_YKWvcHno6OzdBKErKGf2ftgeRrChUFcaMjkgOXf5BFAaHu5EyR3yZr1zYO0AV4eu4tTRznGBo9Bi-fTAlC95R0VqAOvZINMZbHbG7jQBvfyL9EvleoB1vN7bMjcNHXQ_SkEMU0q58N7CmGPbPuevE40KwXsxghgXiSzOeHO3rDdYzK04tXbmKwIYVgWHIb21KILZbQGoyxj7wkbXoFehcqtQWxn5j25BN5aKwXXzS6hNE54b062g",
"expires_in":86400,
"token_type":"Bearer"
}Sample usage - Calling other API
When access_token has been fetched, we can call other APIs (corresponding to the audience used):
Change to how Authorization-header is constructed
No longer use Authorization: Boknett TGT-...
Instead use:
Authorization: Bearer <access_token_here>
Token expiration
We are optimizing when new tokens are generated and therefore you will see that expires_in will change dynamically through out the day. We are then serving you cached access_token while it is valid (we will not give you a token with less than 10 minutes left).
Caching token
If you want to reduce number of needed calls, we encourage you to cache it, just look at the expires_in (seconds) or look at exp in the payload-part of the JWT-token (right before you do the API-call).
Note that expires_in is dynamic and will just show number of seconds until the token is no longer valid.
Environments
PROD |
|
|---|---|
TEST |
|