We use OpenID Connect 1.0 which basically works on top of OAuth 2.0 to allow services to verify the identity of an end-user or a client. This is based on the authentication performed by an open-source authentication server, Keycloak.

We configured Client Credentials Grant for the scope of this integration. It allows us to authenticate a client and retrieve its access token dedicated to limited resources by utilizing client id and client secret.

Sample Request

The client should obtain an access token by sending an HTTP POST request to the authentication server with its client idand client secret.

Here is a cURL example to obtain a valid access token:

curl -k --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret=CLIENT_SECRET' \
--data-urlencode 'grant_type=client_credentials'

If the credentials get successfully validated by the authentication server (i.e. Keycloak), the server responds back with an access token right away. Having received an access token, the client can then send HTTP requests to the REST API embedding that access token in the Bearer request header.

Tip: According to Oauth 2.0 specs, the refresh tokens should not be used in this kind of flow. So whenever the access token expires, the client should send another request to obtain a new access token.

Last updated