Authentication server implements the OpenID Connect standard with several customizations. To access the OpenID Connect configuration, go to https://<auth_server_host>:<port>/authentication/.well-known/openid-configuration.
The Authentication server must be configured to accept new client applications by changing these parameters in authserver.properties file:
- Add URL of the client app to the whitelist, separate URLs with a comma: authentication.redirect.uri.whitelist. This can be either a full URL where users should be redirected back from the Authentication server or just the beginning of it. The authorization endpoint will not accept redirect URI parameters that cannot be found in the whitelist.
- Add new client IDs, separated with comma: authentication.client.ids. You might need to uncomment this line first. Authorization endpoint will not accept client_id parameter that cannot be found in this list.
There are a few deviations from standard OpenID Connect specification:
- When invoking token endpoint, HTTP header X-Auth-Secret with secret must be passed with the value from authserver.properties, parameter authentication.client.secret.
- ID tokens have an expiration time (configuration property authentication.token.expirity), they must be refreshed through the token endpoint by passing refresh tokens.
To call TWCloud REST API with a generated authentication token, the token should be sent in the header of the request:
Authorization: Token <received_id_token>
To get a token without user interaction, i.e. use some predefined username and password and make only server-server calls, the system needs to send an HTTP POST request to the token endpoint of the Authentication server with HTTP headers X-Auth-Secret and parameters:
Headers:
X-Auth-Secret: <secret from authentication.client.secret >
Authorization: Basic xxxxxxxxx, where xxxxxx is base64 encoded username:password
Query parameters:
grant_type=client_credentials client_id=<your_client_id>