APIs
Obtaining Access Tokens
Client Credentials Flow: Obtain Access Token
authenticate client applications using client credentials flow and get access tokens for connect api access raidiam recommends reading the obtaining access tokens docid 5miarxigf9evyopcotzkf article first to learn about used specifications, all available access scopes and what they enable, and more sequencediagram autonumber participant app as client application participant as as raidiam authorisation server participant api as connect apis app >>as /token note over app, as tls client auth or private key jwt\<br />as client auth method note over app, as grant type=client credentials note over app, as client id=$client id note over app, as scope=directory\ software as >>as verify request as >>app access token app >>api access api with token prerequisites a ctive and valid applications docid\ at1zjk4wwrastj pdhvhx (software statement) active transport certificates docid\ g ci bmrum8en1ffwnzi if not yet added, manage certificates for organisation docid\ rfyhtnlocobktfbja2o1o for an organisation or an application active signing certificates docid\ g ci bmrum8en1ffwnzi along with a public and private keys docid\ xb31qsym6rjvvzucnk1ex if your application uses the private key jwt client authentication method if not yet added, manage certificates for organisation docid\ rfyhtnlocobktfbja2o1o for your organisation or application get access token using cc flow add raidiam's authorisation server / well known endpoint to your oauth library configuration your oauth library should be able to get the server's configuration sample / well known https //auth sandbox raidiam io/ well known/openid configuration https //auth sandbox raidiam io/ well known/openid configuration the / well known endpoint contains all the information about the servers docid\ epvkxzuzz6ldhyv nyms you need to successfully integrate with the server and get access tokens, for example the oauth token endpoint "token endpoint" "https //auth sandbox raidiam io/token" or mtls endpoint aliases for clients authenticating themselves using the tls client auth method sample mtls endpoint aliases "mtls endpoint aliases" { "token endpoint" "https //matls auth sandbox raidiam io/token", "revocation endpoint" "https //matls auth sandbox raidiam io/token/revocation", "introspection endpoint" "https //matls auth sandbox raidiam io/token/introspection", "device authorization endpoint" "https //matls auth sandbox raidiam io/device/auth", "registration endpoint" "https //matls auth sandbox raidiam io/reg", "userinfo endpoint" "https //matls auth sandbox raidiam io/me", "pushed authorization request endpoint" "https //matls auth sandbox raidiam io/request", "backchannel authentication endpoint" "https //matls auth sandbox raidiam io/backchannel" } manage certificates for organisation docid\ rfyhtnlocobktfbja2o1o for your organisation or application and add it to your oauth library client's configuration the transport certificate will be used in mutual transport layer security (mtls) to establish a secure connection between your client and the authorisation server your oauth client library should be capable of verifying the authorisation server's certificate if you are using curls to test the integration, you can disable checking the server's certificate using the k flag or insecure option call the raidiam's oauth /token endpoint to authenticate your client utilize the client authentication method configured for your client tls client auth mutual tls client authentication and certificate bound access tokens rfc8705 if your using the tls client auth method, remember to use the mtls endpoint aliases instead of the regular oauth token endpoint private key jwt assertion framework for oauth 2 0 client authentication rfc7521 curl to /token template curl location request post 'https //{base url}/token' \\ \ cert /path/to/your/certificate pem \\ \ key /path/to/your/private key \\ \ header 'content type application/x www form urlencoded' \\ \ data urlencode 'grant type=client credentials' \\ \ data urlencode 'client id={client id}' \\ \ data urlencode 'scope=directory\ software' \ upon successful validation of the request, the authorisation server issues and returns an access token in a form of a jwt signed using the algorithm configured for your client ( applications > your application > advanced configuration > token signed response algorithm id )