Introduction
When building a server-side app that securely stores secrets, use the following procedures to set up your authorization.
Before you begin
This guide requires you to have:
- A registered service application. If you have not created an application, open the My Apps page under your Profile menu and click the Register New button. For this guide, the application type is Service.
- The
client_id
and theclient_secret
supplied when you create your application. Make sure to save this data in a secure location.
Client credential flow
The Client Credential Flow allows your backend process or service, i.e., a confidential client, to authenticate using its own credentials rather than impersonating a user.
An administrator grants permissions directly to the application. Since no user is involved in the authentication, the resource enforces that the application is authorized to perform an action when it presents a token to a resource.
The following steps provide an overview of the process.
- The application makes a request to the authorization server token endpoint with the required parameters.
- The authorization server confirms the information supplied and returns an access token.
- The application uses the access token to call a given API.
- The API responds to the request with the requested data when the necessary scopes are included in the token, and the service identity has the proper permissions for that API.
Set up authorization for your app
The following guide steps you through retrieving an access token for your service application. Once you have your app registered, you can begin to obtain the access token.
Obtain an access token
To obtain an access token for your app, follow these steps:
-
Send a request to the authorization server endpoint.
POSThttps://qa-ims.bentley.com/connect/tokenThe authorization request requires the following parameters:
ParameterDescriptiongrant_typeSet toclient_credentials
for service-based applications.client_idThe ID of the app you created. If you forgot the ID, find it on the My Apps page. Locate your app in the list. The Client ID is in the same-named column.client_secretThe secret given when you registered the app. If you did not save the client secret, generate a new one. To do so, open the My Apps page and find your app in the list, click the link to open the Details page, and then click Re-generate in the Client Secret field.scopeAdd theitwin-platform
scope assigned to your app during registration. -
The authorization server confirms the
client_id
andclient_secret
and returns an access token. Bentley's authorization server completes this step. There is no implementation needed in your application. A successful response includes the access token. -
Use the access token to call the API. Remember to call iTwin platform APIs, you must set up your iTwin roles and permissions. For more information, see the Access Control API documentation.
Token request example
Test your token
If you received a 200 OK
response to your token request, you have successfully obtained a token. You can use this token to call various iTwin Platform APIs. You can try making an API call to users/me
endpoint to test your token. On success, this request returns the profile information for the user account associated with the token received.
Remember, the iTwin Platform Base URI is api.bentley.com
.