ASO OAuth 2.0 Authorization Using Client Credentials Grant Type version v22.3.0.0

https://auth.aso-api.jaggaer.com/

The client credentials grant allows a trusted server-side software component to obtain a long-term system-to-system bearer access token. This token allows a client back-end system to make requests to system (non-user) end-points on a resource server.

A system-to-system bearer access token does not grant the possessor:

  • an inherently administrative “superuser” level of access;
  • access to all end-points;
  • access to user-centric end-points; nor
  • the ability to proxy as a user.

Note: In any production scenario, all communications to and from the authorization server must occur over TLS.

Bearer Token Issuance

Sequence

Sequence

Once issued, a bearer access token is used identically to other grant types; It is appended to all calls to a resource server, after the authentication scheme (Bearer) in the Authorization HTTP request header.

Sequence

post

post

Retrieve a system-to-system bearer access token.

Retrieve a system-to-system bearer access token.

Headers

  • X-API-Key: required(string)

    API key.

    Example:

    7BpB136Rfj75IOabv55iQ6ACgLu9AKpWn3FG0gxd
  • Accept: required(string)

    Informs the server about which mediatypes are acceptable in the response.

    Example:

    application/json
  • Content-Type: required(string)

    Informs the server of the mediatype of the entity-body to be sent in the request.

    Example:

    application/x-www-form-urlencoded
  • Authorization: required(string)

    Contains the credentials to authenticate a client agent with a server.

    Note: The value appearing after the authentication schema (Basic) is the Base64-encoded concatenation of the clientId, a colon, and a the client secret.

    $ echo -n "$clientId:$clientSecret" | base64 -w0

    Example:

    Basic abcd1234

Query Parameters

  • grant_type: required(string)

    Indicates the type of grant being presented in exchange for an access. To be issued a system-to-system bearer access token always use 'client_credentials'.

    Example:

    client_credentials
  • scope: (string)

    Indicates the requested authorization scope. Depending on the type of client making the request scope may or may not be required. If the client is an admin client (internal ASO integration partner) then the scope will need to be included in the BAT request, and should contain a valid ASO customer host ID. If the client is a non-admin client (external ASO customer) then the scope should be omitted because an ASO customer host ID is already associated with the client and any requested BAT will already be implicitly scoped to this customer host. For some internal clients, scope can contain a SHA512 hashed ASO user session value.

    Examples:

    customer-host-scope:

    275

    session-hash-scope:

    3525e4360f4e12be36c179508dcf1a99712574f8396b647a6f60a0b8d25ceecb0db08cd53027eab4b143c5a970805b14cb4fb56887de8722df2543b48f8931ce

HTTP status code 200

Success. Bearer access token is returned in response entity.

Body

Media type: application/json

Type: object

Properties
  • scope: required(string)

    Authorized scopes of the token.

    Example:

    274
  • access_token: required(string)

    OAuth 2.0 Bearer Token used to access the client configuration endpoint.

    Example:

    94d59654-47a4-4ad7-9fca-a965239f186e
  • token_type: required(string)

    Type of the token.

    Example:

    bearer
  • expires_in: required(number)

    Time token is valid in seconds.

    Example:

    86400

Example:

{
  "scope": "read",
  "access_token": "94d59654-47a4-4ad7-9fca-a965239f186e",
  "token_type": "bearer",
  "expires_in": 86400
}

HTTP status code 400

Invalid request; invalid client ID; invalid scope; unsupported grant type

Body

Media type: application/json

Type: object

Properties
  • error: required(string)

    Error code.

    Example:

    unauthorized_client
  • error_description: required(string)

    Error description.

    Example:

    The client_id is unknown

Example:

{
  "error": "unauthorized_client",
  "error_description": "The client_id is unknown"
}