Authentication
The allbok API is using a standard OAuth2 Client Credentials flow to secure its APIs (using Amazons Cognito OAuth service), you first need to create a token with correct scopes against the auth service, and then an access token to call the APIs.
Authentication Servers
Environment | URL |
---|---|
Test environment | https://api.auth.stage.boknett.cloud |
Production | https://api.auth.api.boknett.cloud |
Create token
In order to create a token you need to get the following from Bokbasen:
client_id (this is unique for your organisation)
client secret (your passphrase)
A list of scope available to you
The steps for the process are as follows:
You app makes a
POST
request tohttps://api.auth.boknett.cloud/oauth2/token
, and specifies the following parameters:grant_type
– Set to “client_credentials
” .client_id
– You ID, provided by Bokbasen.scope
– A space-separated list of scopes to request for the generated access token.
In order to indicate that the app is authorised to make the request, the
Authorization
header for this request is set as “Basic BASE64(CLIENT_ID:CLIENT_SECRET)
“, whereBASE64(CLIENT_ID:CLIENT_SECRET)
is the base64 representation of the app client ID and app client secret, concatenated with a colon. (Basic Auth)Bokbasen’s Amazon Cognito authorisation server returns a JSON object with the following keys:
access_token
– A valid user pool access token.expires_in
– The length of time (in seconds) that the provided access token is valid for.token_type
– Set to ”Bearer
“.
Note that, for this grant type, an ID token and a refresh token aren’t returned, so when the token expires you need to create a new one.
Example request using curl
curl -i -X POST --user 111bai87cqgflaoj6tlg6irj5q:e8s6tc0qqpgdddcmqem5i8jq44pgruu825p1o95sfbfbk -H 'Content-Type: application/x-www-form-urlencoded' -d 'scope=https://allbok.api.dev.boknett.cloud/library_integrators&grant_type=client_credentials&client_id=283bai87cqgflaoa6tlg6irj5q' 'https://api.auth.boknett.cloud/oauth2/token'
Example response
{
"access_token": "eyJraWQiOiIxZm0yZ3ZreVNVOGZjc081ME9leTlxblJvQTlIZEh2bTE0NjZmSThcL1EwVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIyODNiYWk4N2NxZ2ZsYW9hNnRsZzZpcmo1cSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FsbGJvay5hcGkuZGV2LmJva25ldHQuY2xvdWRcL2Z1bGxfYWNjZXNzIiwiYXV0aF90aW1lIjoxNTY5NTYyMDc2LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV8yalNEb1J5ZGsiLCJleHAiOjE1Njk1NjU2NzYsImlhdCI6MTU2OTU2MjA3NiwidmVyc2lvbiI6MiwianRpIjoiZTdlNDY2MjMtODg3MC00NjNlLTkzY2ItYWZmZGIxZjk2OTc3IiwiY2xpZW50X2lkIjoiMjgzYmFpODdjcWdmbGFvYTZ0bGc2aXJqNXEifQ.VwUUbf7TiZsB24IqSPzLDaIXC42p4ViZGPFnbh0QIrLbYPbr0J8dpRwqcoGfeJeovwBLcbJwC0eeHazuZD_eVxVsUGrGTVCB5KLKdlbOodpNc0qEH2I9dSdEKV2ppT-7ggs1s2u9uOsZTHEREmPL2_yfZ2U_-yZ5F12kViaCLWdY8AZkwUUNaZDpeP0_DzssbbeJoRQsfU7nrapxF0vS6sUh4wI6E9enrDSQpheTjheooBSNZyNTP82maygGZ73S3XcVS1HsaEomcZ_EzQ0nN8qVUMbEm9HsNjMTcI2GRr_ppboi-NfxYuFjM9Ifqe6OzKw8zlgK9auegaWpSLDATw",
"expires_in": 3600,
"token_type": "Bearer"
}
Using the Token
When calling any API endpoint you send the access_token in the Authorization header:
Authorization: eyJraWQiOiIxZm0yZ3ZreVNVOGZjc081ME9leTlxblJvQTlIZEh2bTE0NjZmSThcL1EwVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIyODNiYWk4N2NxZ2ZsYW9hNnRsZzZpcmo1cSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FsbGJvay5hcGkuZGV2LmJva25ldHQuY2xvdWRcL2Z1bGxfYWNjZXNzIiwiYXV0aF90aW1lIjoxNTY5NTYyMDc2LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV8yalNEb1J5ZGsiLCJleHAiOjE1Njk1NjU2NzYsImlhdCI6MTU2OTU2MjA3NiwidmVyc2lvbiI6MiwianRpIjoiZTdlNDY2MjMtODg3MC00NjNlLTkzY2ItYWZmZGIxZjk2OTc3IiwiY2xpZW50X2lkIjoiMjgzYmFpODdjcWdmbGFvYTZ0bGc2aXJqNXEifQ.VwUUbf7TiZsB24IqSPzLDaIXC42p4ViZGPFnbh0QIrLbYPbr0J8dpRwqcoGfeJeovwBLcbJwC0eeHazuZD_eVxVsUGrGTVCB5KLKdlbOodpNc0qEH2I9dSdEKV2ppT-7ggs1s2u9uOsZTHEREmPL2_yfZ2U_-yZ5F12kViaCLWdY8AZkwUUNaZDpeP0_DzssbbeJoRQsfU7nrapxF0vS6sUh4wI6E9enrDSQpheTjheooBSNZyNTP82maygGZ73S3XcVS1HsaEomcZ_EzQ0nN8qVUMbEm9HsNjMTcI2GRr_ppboi-NfxYuFjM9Ifqe6OzKw8zlgK9auegaWpSLDATw