Authentication flow for Zones to access the micro-services
Your application can acquire a token to call a web API on behalf of itself (not on behalf of a user). This scenario is useful for external applications that run a batch process and needs to manipulate application data. It uses the standard OAuth 2.0 client credentials grant to obtain a valid token. OAuth 2.0 is one of the most popular and powerful authorization frameworks that enables a third-party application to obtain limited access to an HTTP service.
To gain access, we may provide you a curl like this one, containing a client id, client secret, scope and tenant for each environment (dev, sit, uat, prod):
curl --location --request POST 'https://services-sit.bees-platform.dev/api/auth/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'requestTraceId: test-hbt2' \ --header 'Cookie: incap_ses_1241_2295550=EyqeGBtkSlQy7wx4hus4EQZ/hmIAAAAA76KEQSCb8nsSIXJKwEfrlw==' \ --data-urlencode 'client_id=zone_client_id' \ --data-urlencode 'client_secret=zone_client_secret' \ --data-urlencode 'scope=openid' \ --data-urlencode 'grant_type=client_credentials'
Important
This sample curl
above exchanges a client id, client secret, scope, and tenant by an Access Token using the OAuth2 client credentials flow (also known as Machine to Machine communication): Each zone/country has a specific client_id and client_secret by environments (SIT, UAT and PROD). Please, request this information to our team.
URLs from Authentication Service
Global
Europe
uat: https://services.eu.uat.restricted.mybees-platform.dev/api/auth/token
prod: https://services.eu.mybees-platform.com/api/auth/token
DTC
sit: https://services.dtc.sit.mybees-platform.dev/api/auth/token
uat: https://services.dtc.uat.mybees-platform.dev/api/auth/token
prod: https://services.dtc.mybees-platform.com/api/auth/token
Machine to Machine communication
Request token with client credential
There is no user involved
n the image above we have a simple integration flow from an external application that needs to acquire an access token to communicate with our services.
A Get request is made with the provided params
Access Token is retrieved
This Token is cached. (Time to live of 1 hour)
This token is sent in the HTTP Authorization header to the desired service: --header 'Authorization: Bearer eyJ0eXAiOiJKV1Qi....'
The curl
below is an example of a request to a BEES microservice with the Authorization header set with the previously received token:
curl --request GET 'https://services-dev.bees-platform.dev/v1/order-service/v1/search?accounts=0000100004' \ --header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJhOWQxODcwYi03MWI5LTQ1ODItOGFkYy01NDhhMThmY2MwYjMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vMjE1YjZhNzItOTA1Yi00NmJiLThiOTMtNmYxNjQ0MGY5MDBlL3YyLjAiLCJpYXQiOjE2MDYyMzMwNDQsIm5iZiI6MTYwNjIzMzA0NCwiZXhwIjoxNjA2MjM2OTQ0LCJhaW8iOiJFMlJnWU9CbjZPOTMrSmQ3c3RYWDdXdW9wOW9kQUE9PSIsImF6cCI6IjgzNDhjZDIxLTc1OWQtNDJhNS04ZGZlLTEzYWM5ODM5N2EyMyIsImF6cGFjciI6IjEiLCJvaWQiOiI5Zjk4NGRmNC0xODMzLTRhYjEtOTQ5YS0zZWQ1NDE3MTc2YTYiLCJyaCI6IjAuQUFBQWNtcGJJVnVRdTBhTGsyOFdSQS1RRGlITlNJT2RkYVZDamY0VHJKZzVlaU1kQUFBLiIsInJvbGVzIjpbIk9yZGVyLlJlYWQiLCJBY2NvdW50LlJlYWQiXSwic3ViIjoiOWY5ODRkZjQtMTgzMy00YWIxLTk0OWEtM2VkNTQxNzE3NmE2IiwidGlkIjoiMjE1YjZhNzItOTA1Yi00NmJiLThiOTMtNmYxNjQ0MGY5MDBlIiwidXRpIjoiNktUVGNFT21YMEdSTXczN2V4ZVRBQSIsInZlciI6IjIuMCJ9.vnVeaToPfe8fPCfNza2F4RUC2mBE39R-kCDKyTJoo9IpRRW7YTWyX9veRTrr2t6cUIW0p2Fyjcuxq72u9MavcPBncUnrTYER7JvyrWIgobACNJlO2ShkOat1kG3KmbBt-tIVsXqySfxF6JQH1Uzv2gFpYa3CJpdV0QlAJykm2fDiiMsa-3qKl7c9Zon-8drpWqc6uaDvLL2Eml_4lXp-sN7_aOBxLTp7vGwOUchOoeqF5pPD1UpWLMUtT1V-85x8qNuIdTLMZoy_VVEZlftZcYZbwfHSWlmjBhlLDwbqwXXYBupKaRxKKH5cfFft1lukRYzAj_UMY11IePsQ11268g' \ --header 'requestTraceId: myTraceId123' \ --header 'country: BR'
Token Expiration
This token will expire in 1 hour for security measures and you should also cache this token to use in the next requests. You should only request a new token after or near its expiration or the Identity Provider will probably be throttling the requests.
For more information, you can access:
Azure AD Client Credentials: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow