Client ID Authentication with a Password

Important: While, for convenience and backward compatibility reasons, the Authentication Service supports password for Client IDs, we strongly recommend to use PKI (certificate based) authentication instead. For further information, see Client ID Authentication with JWT (PKI).

Registering a Client ID with a Password

See Managing Users, Groups and Roles - Register a Client ID (Or a Client ID for M2M)

Authenticating a Client ID with a Password 

What you need:

  • A registered Client ID, set up with a password-based client secret. 
Note: The only valid password based Authentication policy for client IDs is AT_SYSLOG. For further information about this policy and its constraints, see Authentication Policies in the HID Authentication Service.

In order to authenticate the Client ID and obtain an Access Token, simply use the authn/token endpoint of the HID Authentication Service OpenID API. 

  • grant_type must be set to client_credentials
  • The credentials must be passed through the HTTP Basic authentication mechanism, URL encoded then base64 encoded. 

Let's assume here that we registered a Client ID with an external ID 473860565698665592940942231026762145082188268181 and a password MyClientID123456?. 

The HTTP basic authentication string to pass as part of the HTTP Authorization header is computed this way: 

Basic + " " + base64Encode( urlEncode( "473860565698665592940942231026762145082188268181 " ) + ":" + urlEncode( "MyClientID123456?" ) )
 
// Which results in "Basic NDczODYwNTY1Njk4NjY1NTkyOTQwOTQyMjMxMDI2NzYyMTQ1MDgyMTg4MjY4MTgxOk15Q2xpZW50SUQxMjM0NTYlM0Y=".
Important:
  • If the password is incorrect, the Authentication Service response contains a HTTP 400 bad request error.
  • Do not omit to URL encode the external ID and password of the client before encoding them in base64 ! Failing to do so can lead to the Authentication Service misinterpreting the characters you passed and thus authenticators being disabled for too many failed attempts.
POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Authorization: Basic NDczODYwNTY1Njk4NjY1NTkyOTQwOTQyMjMxMDI2NzYyMTQ1MDgyMTg4MjY4MTgxOk15Q2xpZW50SUQxMjM0NTYlM0Y=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials

The Response

The returned response is an access token, it allows you to use the Authentication Service APIs and identifies your user's unique session: 

Client Credentials Authentication API Response 
{"access_token":"FnMOZwAAAWupkj2WCQzBvB35NDoIMAecsCdq4FLD","token_type":"Bearer","expires_in":3600}

To see what we can do with the response, see Making the most of OPENID Tokens.