Authentication Service
This is the new way of authentication when using Bokbasen's APIs
These services are using this new authentication:
Onix Export API
Object Export API
Onix Import API
Object Import API
Marc Export API
Description Export API
DDS API
Bokskya API
Order API
Innkjøpsposter API
All services requires the client to include a token, acquired from the authentication service. The token will be valid for a limited period of time, but valid for all requests during that time interval. So this is done in two steps:
Authenticate to get a token
Call resource with the token as a header (cache/re-use token as long at is is still valid)
The process uses the Client Credentials Flow (defined in OAuth 2.0), where clientId + clientSecret is used to get an access-token.
Login
URL |
| |
---|---|---|
Method |
| |
Header |
|
|
Request payload |
| <Your provided clientId> |
| <Your provided clientSecret> | |
| <Your desired audience / dependent on API> | |
|
| |
Response (JSON) |
| Use this token in the header of API-calls |
| Seconds until token will expire | |
|
| |
Returns | 200 | OK |
401 | Unauthorized (might be missing som attributes, or wrong clientId/Secret) | |
403 | Forbidden (might not have access to the given |
Sample usage - Login
To get a token you have to indicate what audience (what service) you want a token for. See https://bokbasen.jira.com/wiki/spaces/api/pages/3202547747. Here is an example:
Example with json
curl -X POST https://auth.bokbasen.io/oauth/token \
-H 'content-type: application/json' \
-d '{
"client_id":"YOUR-CLIENT-ID",
"client_secret":"YOUR-CLIENT-SECRET",
"audience":"https://api.bokbasen.io/metadata/",
"grant_type":"client_credentials"
}'
Example with x-www-form-urlencoded
curl -X POST https://auth.bokbasen.io/oauth/token \
-H 'content-type: application/x-www-form-urlencoded' \
--data-urlencode client_id=YOUR-CLIENT-ID \
--data-urlencode client_secret=YOUR-CLIENT-SECRET \
--data-urlencode audience=https://api.bokbasen.io/metadata/ \
--data-urlencode grant_type=client_credentials
A successful result will be something like this:
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ikd6Vk4wZ044S0pybDBKSWJqSHZhcSJ9.eyJodHRwczovL2Jva2Jhc2VuLmlvL21ldGFkYXRhIjp7fSwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5kZXYuYm9rYmFzZW4uaW8vIiwic3ViIjoiYldReU1IbEJqTGI5TVFCaGVsUFo2emhtYWozdGV0UmJAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vYXBpLmRldi5ib2tiYXNlbi5pby9hcnRpY2xlLyIsImlhdCI6MTY4NDk5NDQ4OSwiZXhwIjoxNjg1MDgwODg5LCJhenAiOiJiV1F5TUhsQmpMYjlNUUJoZWxQWjZ6aG1hajN0ZXRSYiIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyIsInBlcm1pc3Npb25zIjpbXX0.TtqnUwmaaUIQ_qV4VPNobVc9vhbzmeKe_w3zOZtkTp1fgF3SXGsL9NMpTgF1CDpMsLVSA7liKSogwR3bsE_-AV7Dki4PK8upx_YKWvcHno6OzdBKErKGf2ftgeRrChUFcaMjkgOXf5BFAaHu5EyR3yZr1zYO0AV4eu4tTRznGBo9Bi-fTAlC95R0VqAOvZINMZbHbG7jQBvfyL9EvleoB1vN7bMjcNHXQ_SkEMU0q58N7CmGPbPuevE40KwXsxghgXiSzOeHO3rDdYzK04tXbmKwIYVgWHIb21KILZbQGoyxj7wkbXoFehcqtQWxn5j25BN5aKwXXzS6hNE54b062g",
"expires_in":86400,
"token_type":"Bearer"
}
Sample usage - Calling other API
When access_token
has been fetched, we can call other APIs (corresponding to the audience
used):
Change to how Authorization
-header is constructed
No longer use Authorization: Boknett TGT-...
Instead use:
Authorization: Bearer <access_token_here>
Token expiration
We are optimizing when new tokens are generated and therefore you will see that expires_in
will change dynamically through out the day. We are then serving you cached access_token
while it is valid (we will not give you a token with less than 10 minutes left).
Caching token
If you want to reduce number of needed calls, we encourage you to cache it, just look at the expires_in
(seconds) or look at exp
in the payload-part of the JWT-token (right before you do the API-call).
Note that expires_in
is dynamic and will just show number of seconds until the token is no longer valid.
Environments
PROD |
|
---|---|
TEST |
|