Authentication flow for Zones to access the micro-services
Your application can acquire a token to call a web API on behalf of itself (not on behalf of a user). This scenario is useful for external applications that run a batch process and needs to manipulate application data. It uses the standard OAuth 2.0 client credentials grant to obtain a valid token. OAuth 2.0 is one of the most popular and powerful authorization frameworks that enables a third-party application to obtain limited access to an HTTP service.
To gain access, we may provide you a curl like this one, containing a client id, client secret, scope and tenant for each environment (dev, sit, uat, prod):
curl --location --request POST 'https://services-sit.bees-platform.dev/api/auth/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'requestTraceId: test-hbt2' \ --data-urlencode 'client_id=zone_client_id' \ --data-urlencode 'client_secret=zone_client_secret' \ --data-urlencode 'scope=openid' \ --data-urlencode 'grant_type=client_credentials'Important
This sample curl above exchanges a client id, client secret, scope, and tenant by an Access Token using the OAuth2 client credentials flow (also known as Machine to Machine communication): Each zone/country has a specific client_id and client_secret by environments (SIT, UAT and PROD). Please, request this information to our team.
URLs from Authentication Service
Global
Europe
uat: https://services.eu.uat.restricted.mybees-platform.dev/api/auth/token
prod: https://services.eu.mybees-platform.com/api/auth/token
DTC
sit: https://services.dtc.sit.mybees-platform.dev/api/auth/token
uat: https://services.dtc.uat.mybees-platform.dev/api/auth/token
prod: https://services.dtc.mybees-platform.com/api/auth/token
Machine to Machine communication
Request token with client credential
There is no user involved
n the image above we have a simple integration flow from an external application that needs to acquire an access token to communicate with our services.
A Get request is made with the provided params
Access Token is retrieved
This Token is cached. (Time to live of 1 hour)
This token is sent in the HTTP Authorization header to the desired service: --header 'Authorization: Bearer eyJ0eXAiOiJKV1Qi....'
The curl below is an example of a request to a BEES microservice with the Authorization header set with the previously received token:
curl --request GET 'https://services-dev.bees-platform.dev/v1/order-service/v1/search?accounts=0000100004' \ --header 'Authorization: BearereyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJlOWExODc5Yi03OGI5LTQ1ODItOGFiYy01NDhhMThmZGMwYjMiLCJpc3MiOiJodHRwczovL2xvZ2luaXNzdWVyLnRlc3QuY29tL3YyIiwiaWF0IjoxNjA2MjMzMDQ0LCJuYmYiOjE2MDYyMzMwNDQsImV4cCI6MTcwNjIzNjk0NCwiYXpwIjoiODM0OGNlMjEtNzY1ZC00MmI5LThkZmUtMTNhYzk4Mzk3YTIzIiwicm9sZXMiOlsiVGVzdFJvbGVGb3JTYW1wbGVUb2tlbi5OT1RfUkVBTCJdLCJzdWIiOiI5Zjk4NGRmNC0xOTMzLTRhYjEtOTQ5YS0zZWQ1NDE3MTc2YTYifQ.Y6Oc_0QzLTXKKrnh9OFjfKXAC2gUwt5ilcSFcQPTQlX4AYYOFBtmWp-SI4j8RHW8ZTusFWfbUJLG5IUapVilvkAiYDcPf87wYeXN7pRIBcsZX317q3kq8Uu_ysMLw5zF13eWNnDpWVbfvraUItCTRXvnxMy019DNTYED1N92heNEn_JW3dnZGCilKTHruOSRK-pp8FXRjgaWmYBcD5qFsfNwbd4Y3yt-md5lLvnLaezUVGHFXM9TcIgJtcn2H0UYAK7CpK_QY9ojzpkfMgREesuVf9CzlkeDkZQl__WNSAN8SiGNPY8a69RO4LHRnSgjiVjNYbm0plE08YAwiAzjDg' \ --header 'requestTraceId: myTraceId123' \ --header 'country: BR'
Token Expiration
This token will eventually expire as a security measure. You must cache this token to use in the next requests while it is valid. You must only request a new token from the Authentication endpoint after or near its expiration or the Identity Provider will throttle your requests.
For more information, you can access: