Skip to content

Authentication

API authentication uses OAuth2 client credentials flow to obtain a JWT token from our Identity Provider (IdP) with the required roles.

The token typically expires after 5 minutes and the client needs to get a new one. Each request to the API must include the x-dasgate-tenant-id header and the Authorization header in the form Authorization: Bearer <token> with the JWT token obtained from the IdP (as explained here).

Token generation

Veridas will provide the OIDC client with two pieces of information that identify the client and are necessary to obtain the access token: client_id and client_secret. With these two pieces of information, an access token must be obtained by calling the Identity Provider API endpoint /token as follows:

POST /auth/realms/{TENANT_ID}/protocol/openid-connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Host: iam.work-srv.das-gate.com
content-length: XX

grant_type=client_credentials&scope=roles&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

Veridas will provide for each customer with: CLIENT_ID, TENANT_ID and CLIENT_SECRET, so the integration solution will allow us to configure these parameters for every client. These variables must be defined in the attached environment file, in addition to the API_KEY variable also provisioned by Veridas.

The obtained response is a JSON with the following format:

{'access_token': 'eyJhbGc....',
 'expires_in': 300,
 'token_type': 'bearer',
 'not-before-policy': 0,
 'session_state': '3f9a7a76-cd4a-4082-b3e0-95686bac24ee',
 'scope': 'email profile roles'
}

From this response, the access_token shall be extracted for use in API requests as follows. The expires_in field indicates the validity period of the token in seconds.

Token refreshment

When the token expires, it is necessary to generate a new one. To do so, it is necessary to carry out the operation indicated in Token Generation.

It is also possible to use the Refresh Token grant, although it involves sending practically the same as in previous section Token Generation:

POST /auth/realms/{TENANT_ID}/protocol/openid-connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Host: iam.work-srv.das-gate.com
content-length: XX

grant_type=refresh_token&refresh_token=REFRESH_TOKEN&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

Example of authenticated header

Each call to this API must include the following headers for authentication to succeed:

  • x-dasgate-tenant-id
  • Authorization: Bearer <token>
POST /api/public/singles HTTP/1.1
Content-Type: application/json
Accept: */*
x-dasgate-tenant-id: TENANT_ID
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
content-length: XX