Authentication

The allbok API is using a standard OAuth2 Client Credentials flow to secure its APIs (using Amazons Cognito OAuth service), you first need to create a token with correct scopes against the auth service, and then an access token to call the APIs.

Authentication Servers

Environment	URL

Environment	URL
Test environment	https://api.auth.stage.boknett.cloud
Production	https://api.auth.api.boknett.cloud

Create token

In order to create a token you need to get the following from Bokbasen:

client_id (this is unique for your organisation)
client secret (your passphrase)
A list of scope available to you

The steps for the process are as follows:

You app makes a POST request to https://api.auth.boknett.cloud/oauth2/token, and specifies the following parameters:
- grant_type – Set to “client_credentials” .
- client_id – You ID, provided by Bokbasen.
- scope – A space-separated list of scopes to request for the generated access token.
In order to indicate that the app is authorised to make the request, the Authorization header for this request is set as “Basic BASE64(CLIENT_ID:CLIENT_SECRET)“, where BASE64(CLIENT_ID:CLIENT_SECRET) is the base64 representation of the app client ID and app client secret, concatenated with a colon. (Basic Auth)
Bokbasen’s Amazon Cognito authorisation server returns a JSON object with the following keys:
- access_token – A valid user pool access token.
- expires_in – The length of time (in seconds) that the provided access token is valid for.
- token_type – Set to ” Bearer“.
Note that, for this grant type, an ID token and a refresh token aren’t returned, so when the token expires you need to create a new one.

Example request using curl

curl -i -X POST --user 111bai87cqgflaoj6tlg6irj5q:e8s6tc0qqpgdddcmqem5i8jq44pgruu825p1o95sfbfbk -H 'Content-Type: application/x-www-form-urlencoded'  -d 'scope=https://allbok.api.dev.boknett.cloud/library_integrators&grant_type=client_credentials&client_id=283bai87cqgflaoa6tlg6irj5q' 'https://api.auth.boknett.cloud/oauth2/token'

Example response

{
"access_token": "eyJraWQiOiIxZm0yZ3ZreVNVOGZjc081ME9leTlxblJvQTlIZEh2bTE0NjZmSThcL1EwVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIyODNiYWk4N2NxZ2ZsYW9hNnRsZzZpcmo1cSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FsbGJvay5hcGkuZGV2LmJva25ldHQuY2xvdWRcL2Z1bGxfYWNjZXNzIiwiYXV0aF90aW1lIjoxNTY5NTYyMDc2LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV8yalNEb1J5ZGsiLCJleHAiOjE1Njk1NjU2NzYsImlhdCI6MTU2OTU2MjA3NiwidmVyc2lvbiI6MiwianRpIjoiZTdlNDY2MjMtODg3MC00NjNlLTkzY2ItYWZmZGIxZjk2OTc3IiwiY2xpZW50X2lkIjoiMjgzYmFpODdjcWdmbGFvYTZ0bGc2aXJqNXEifQ.VwUUbf7TiZsB24IqSPzLDaIXC42p4ViZGPFnbh0QIrLbYPbr0J8dpRwqcoGfeJeovwBLcbJwC0eeHazuZD_eVxVsUGrGTVCB5KLKdlbOodpNc0qEH2I9dSdEKV2ppT-7ggs1s2u9uOsZTHEREmPL2_yfZ2U_-yZ5F12kViaCLWdY8AZkwUUNaZDpeP0_DzssbbeJoRQsfU7nrapxF0vS6sUh4wI6E9enrDSQpheTjheooBSNZyNTP82maygGZ73S3XcVS1HsaEomcZ_EzQ0nN8qVUMbEm9HsNjMTcI2GRr_ppboi-NfxYuFjM9Ifqe6OzKw8zlgK9auegaWpSLDATw",
"expires_in": 3600,
"token_type": "Bearer"
}

Using the Token

When calling any API endpoint you send the access_token in the Authorization header:

Authorization: eyJraWQiOiIxZm0yZ3ZreVNVOGZjc081ME9leTlxblJvQTlIZEh2bTE0NjZmSThcL1EwVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIyODNiYWk4N2NxZ2ZsYW9hNnRsZzZpcmo1cSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FsbGJvay5hcGkuZGV2LmJva25ldHQuY2xvdWRcL2Z1bGxfYWNjZXNzIiwiYXV0aF90aW1lIjoxNTY5NTYyMDc2LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV8yalNEb1J5ZGsiLCJleHAiOjE1Njk1NjU2NzYsImlhdCI6MTU2OTU2MjA3NiwidmVyc2lvbiI6MiwianRpIjoiZTdlNDY2MjMtODg3MC00NjNlLTkzY2ItYWZmZGIxZjk2OTc3IiwiY2xpZW50X2lkIjoiMjgzYmFpODdjcWdmbGFvYTZ0bGc2aXJqNXEifQ.VwUUbf7TiZsB24IqSPzLDaIXC42p4ViZGPFnbh0QIrLbYPbr0J8dpRwqcoGfeJeovwBLcbJwC0eeHazuZD_eVxVsUGrGTVCB5KLKdlbOodpNc0qEH2I9dSdEKV2ppT-7ggs1s2u9uOsZTHEREmPL2_yfZ2U_-yZ5F12kViaCLWdY8AZkwUUNaZDpeP0_DzssbbeJoRQsfU7nrapxF0vS6sUh4wI6E9enrDSQpheTjheooBSNZyNTP82maygGZ73S3XcVS1HsaEomcZ_EzQ0nN8qVUMbEm9HsNjMTcI2GRr_ppboi-NfxYuFjM9Ifqe6OzKw8zlgK9auegaWpSLDATw