{"id":2507,"date":"2022-02-28T12:00:00","date_gmt":"2022-02-28T17:00:00","guid":{"rendered":"https:\/\/michaelrowe01.com\/?p=2507"},"modified":"2022-12-15T06:45:59","modified_gmt":"2022-12-15T11:45:59","slug":"api-authentication-method-in-elm-oidc","status":"publish","type":"post","link":"https:\/\/michaelrowe01.com\/index.php\/day-job\/ibm-elm\/api-authentication-method-in-elm-oidc\/","title":{"rendered":"API Authentication Method in ELM &#8211; OIDC"},"content":{"rendered":"\n<div class=\"wp-block-cover\"><span aria-hidden=\"true\" class=\"wp-block-cover__gradient-background has-background-dim\"><\/span><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"440\" class=\"wp-block-cover__image-background wp-image-2508\" alt=\"\" src=\"https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-23.png?resize=660%2C440&#038;ssl=1\" data-object-fit=\"cover\" srcset=\"https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-23.png?resize=1024%2C683&amp;ssl=1 1024w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-23.png?resize=300%2C200&amp;ssl=1 300w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-23.png?resize=768%2C512&amp;ssl=1 768w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-23.png?w=1320&amp;ssl=1 1320w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-23.png?w=1980&amp;ssl=1 1980w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-large-font-size\">Security and ELM<\/p>\n<\/div><\/div>\n\n\n\n<p>In my last post I took you thru the OAuth 1.0a API flow.&nbsp; While there are three APIs defined in the RootServices document which enable you to execute the flow, it is still a lot of work to ultimately get your OAuth 1.0a Token for usage.&nbsp; This token is only valid for a short period of time, meaning your code need to constantly check for its availability, and once it fails, you need to process the same steps again to gain a new token.<\/p>\n\n\n\n<p>Now let\u2019s look at using OIDC authentication.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Initial Setup<\/strong><\/h4>\n\n\n\n<p>First, our ELM instance must be configured to utilize a Jazz Authentication Server (JAS).&nbsp; That configuration is beyond the scope of this blog, but I highly recommend Shubjit Naik\u2019s article on <a href=\"https:\/\/jazz.net\/wiki\/bin\/view\/Deployment\/ELMAndOAuth20ServerToServer\">ELM and OAuth 2.0 Server to Server communication via Client Credentials Grant<\/a>.<\/p>\n\n\n\n<p>After following those instructions, your ELM Admin will have to provide you with key information to be used in this flow.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>grant_type<\/li><li>client_id<\/li><li>client_secret<\/li><li>scope<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Requesting a Token<\/strong><\/h4>\n\n\n\n<p>As you may recall from the prior post, the RootServices document holds the information we need for OAuth 1.0a authentication; however, this does not hold true for OIDC.&nbsp; You will need to get the URL for the \u201caccess token request\u201d end point from your ELM application admin.&nbsp; The endpoint can be found via the Server admin page, under the \u201cThe Authorization Server\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"453\" src=\"https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?resize=660%2C453&#038;ssl=1\" alt=\"\" class=\"wp-image-2509\" srcset=\"https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?resize=1024%2C703&amp;ssl=1 1024w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?resize=300%2C206&amp;ssl=1 300w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?resize=768%2C527&amp;ssl=1 768w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?resize=1536%2C1054&amp;ssl=1 1536w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?resize=2048%2C1405&amp;ssl=1 2048w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?w=1320&amp;ssl=1 1320w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-24.png?w=1980&amp;ssl=1 1980w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><figcaption>ELM Server Status Summary<\/figcaption><\/figure>\n\n\n\n<p>If we add \/token to the end of the above URL, we now have the request Token API endpoint.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"476\" src=\"https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-25.png?resize=660%2C476&#038;ssl=1\" alt=\"\" class=\"wp-image-2510\" srcset=\"https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-25.png?resize=1024%2C739&amp;ssl=1 1024w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-25.png?resize=300%2C217&amp;ssl=1 300w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-25.png?resize=768%2C554&amp;ssl=1 768w, https:\/\/i0.wp.com\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/image-25.png?w=1316&amp;ssl=1 1316w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><figcaption>Request Token API on JAS server<\/figcaption><\/figure>\n\n\n\n<p>You can see the API is very simple.&nbsp; We are passing the a grant request of \u201cclient_credentials\u201d, with a client_id of \u201csecret2\u201d (which our ELM admin setup for us), a client_secret of \u201csecret\u201d, and asking for scope of \u201copenid profile email general\u201d.&nbsp; These are all encoded in a url form.&nbsp; The response that comes back is a simple json, as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"access_token\": \"<strong>6SnfUJgdMFHb4bj5Z6XO65Ay2bGidMfvDWmpgiLu<\/strong>\",\n    \"token_type\": \"<strong>Bearer<\/strong>\",\n    \"expires_in\": <strong>7200<\/strong>,\n    \"scope\": \"<strong>general openid profile email<\/strong>\"\n}<\/code><\/pre>\n\n\n\n<p>We receive a \u201cBearer\u201d token, which expires in 7200 seconds.&nbsp; It also confirms the scope we have asked for. &nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Calling a protected API<\/strong><\/h4>\n\n\n\n<p>Next we will call an API that requires authentication.&nbsp; I will use the same API from the prior post, accessing a list of Project Areas on our server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl --location --request GET 'https:\/\/elmwb.com:9443\/rm\/process\/project-areas' \\\n--header 'OSLC-Core-Version: 2.0' \\\n--header 'Accept: application\/json' \\\n--header 'Authorization: <strong>Bearer<\/strong> <strong>6SnfUJgdMFHb4bj5Z6XO65Ay2bGidMfvDWmpgiLu<\/strong>\u2019<\/code><\/pre>\n\n\n\n<p>As you can, all we did is change our call to provide the authorization via a new header. This is much easier (and quicker) than the steps required in OAuth1.0a.<\/p>\n\n\n\n<p>If you are familiar with Postman, here are two files to help you process these same steps:<\/p>\n\n\n\n<p>Postman Environment File \u2013 <a href=\"https:\/\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/OIDC-Demo-Environment.postman_environment.json_.zip\" title=\"OIDC Demo Environment\">OIDC Demo Environment<\/a><\/p>\n\n\n\n<p>Postman API Collection \u2013&nbsp;<a href=\"https:\/\/michaelrowe01.com\/wp-content\/uploads\/2022\/02\/OIDC-Flow.postman_collection.json_.zip\" title=\"OIDC Flow\">OIDC Flow<\/a><\/p>\n\n\n\n<p>That\u2019s it!&nbsp; If you have the opportunity on your server to setup the Jazz Authentication Server, I highly recommend that you utilize OIDC for your API which require authentication.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my last post I took you thru the OAuth 1.0a API flow.&nbsp; While there are three APIs defined in the RootServices document which enable you to execute the flow, it is still a lot of work to ultimately get your OAuth 1.0a Token for usage.&nbsp; This token is only valid for a short period [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_wp_convertkit_post_meta":{"form":"-1","landing_page":"0","tag":"0","restrict_content":"0"},"hide_page_title":"","footnotes":""},"categories":[597],"tags":[575,578,613,614,356],"class_list":["post-2507","post","type-post","status-publish","format-standard","hentry","category-ibm-elm","tag-api","tag-apis","tag-authentication","tag-oidc","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/posts\/2507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/comments?post=2507"}],"version-history":[{"count":5,"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/posts\/2507\/revisions"}],"predecessor-version":[{"id":2544,"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/posts\/2507\/revisions\/2544"}],"wp:attachment":[{"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/media?parent=2507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/categories?post=2507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michaelrowe01.com\/index.php\/wp-json\/wp\/v2\/tags?post=2507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}