Obtaining Access Tokens Using Client Credentials Flow
Authenticate client applications using Client Credentials flow and get access tokens for Raidiam API access.
Prerequisites
-
Active and valid Application (Software Statement)
-
Active Transport Certificate
If not yet added, Add Certificates for Organisation for an organisation or an application.
-
Active Signing Certificate along with a Public and Private Keys if your application uses the private_key_jwt client authentication method.
If not yet added, Add Certificates for your organisation or application.
Add .well-known to Application Configuration
Add Raidiam's Authorisation Server /.well-known endpoint to your OAuth library configuration.
Your OAuth library should be able to get the server's configuration.
Sample /.well-known: https://auth.sandbox.raidiam.io/.well-known/openid-configuration
The /.well-known endpoint contains all the information about the
Authorisation Servers you need to
successfully integrate with the server and get access tokens, for example
-
the OAuth Token Endpoint:
"token_endpoint": "https://auth.sandbox.raidiam.io/token"- for clients authenticating themselves using the private_key_jwt method. -
mTLS Endpoint Aliases - for clients authenticating themselves using the
tls_client_authmethod:
"mtls_endpoint_aliases": {
"token_endpoint": "https://matls-auth.sandbox.raidiam.io/token",
"revocation_endpoint": "https://matls-auth.sandbox.raidiam.io/token/revocation",
"introspection_endpoint": "https://matls-auth.sandbox.raidiam.io/token/introspection",
"device_authorization_endpoint": "https://matls-auth.sandbox.raidiam.io/device/auth",
"registration_endpoint": "https://matls-auth.sandbox.raidiam.io/reg",
"userinfo_endpoint": "https://matls-auth.sandbox.raidiam.io/me",
"pushed_authorization_request_endpoint": "https://matls-auth.sandbox.raidiam.io/request",
"backchannel_authentication_endpoint": "https://matls-auth.sandbox.raidiam.io/backchannel"
}
Add Transport Certificate to Application Configuration
Download Transport Certificate for your organisation or application and add it to your OAuth library client's configuration.
The Transport Certificate will be used in mutual Transport Layer Security (mTLS) to establish a secure connection between your client and the authorisation server.
Your OAuth client library should be capable of verifying the authorisation server's certificate.
If you are using cURLs to test the integration, you can disable checking the
server's certificate using the -k flag or --insecure option.
Get Token
Call the Raidiam's OAuth /token endpoint to authenticate your client.
Utilize the client authentication method configured for your client:
-
tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705
If your using the tls_client_auth method, remember to use the mTLS endpoint aliases instead of the regular OAuth token endpoint.
-
private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521
curl --location --request POST 'https://{base_url}/token' \
--cert /path/to/your/certificate.pem \
--key /path/to/your/private.key \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'scope=directory:software' \
Upon successful validation of the request, the authorisation server issues and returns an access token - in a form of a JWT signed using the algorithm configured for your client (Applications > your application > Advanced Configuration > Token Signed Response Algorithm ID)
Call Raidiam's APIs
Call Raidiam's APIs using the access token you got from the authorisation server.
By default, applications are configured to receive Certificate Bound
Access Tokens where information about the certificate used to get the
token is included in the token itself and verified by the Raidiam's Resource
Server (APIs).
Make sure to utilize the same certificate across all mTLS connections with the authorisation server and Raidiam's APIs.
