Machine to Machine
A service (aka: machine) is a non human program that may request an access token from Crossid in order to authenticate to other services.
A good example is a micro service or a scheduled job that requires access to a protected REST API.
This how-to explains how to perform authentication programmatically, with no user interaction, so a service could access some API.
Create a service account
A service account is a user intended to be used for services rather people.
Lets create a service account that will be granted with privileges to access our API.
- Console
- Curl
- In Admin console, navigate to Directory โ Service Accounts.
- Open the Actions dropdown and click Add
- Follow the modal (don't forget to make the account active).
curl -X POST \
-H "Authorization: Bearer <API_TOKEN>" \
-d '
{
"userName": "periodicCleanup",
"displayName": "Periodic Cleanup Account",
"active": true
}
' https://{tenant}.crossid.io/api/v1/resources/cid/ServiceAccount?reason=add-user
Machine to Machine
This machine to machine integration will make our service account be able to authenticate via OAuth2.
- Console
- In Admin console, navigate to Marketplace โ Machine to Machine.
- Click the Add Integration button.
- Follow the wizard.
Copy the Client ID and Client Secret for the next steps.
Create an API integration
Lets create an API that our service should access.
- Console
- In Admin console, navigate to Marketplace โ API.
- Click the Add Integration button.
- Follow the wizard.
Grant Access
We have to grant our service account access to the API.
Authenticate
At this point, we have a service account that have write grants to access our API app, lets authenticate.
- Replace <client_id> with the ID from step 2
- Replace <client_secret> with the Secret from step 2
curl -X POST https://{tenant}.crossid.io/oauth2/token \
-F grant_type=client_credentials \
-F client_id=<client_id> \
-F client_secret=<client_secret> \
-F scope='write'
Output:
{
"access_token": "eyJhbGciOiJSUzI1NiIsImt...",
"expires_in": 3599,
"refresh_expires_in": 2592000000000000,
"scope": "write",
"token_type": "bearer"
}