Authentication
An access token is required to access a ContentGrid Application.
Access tokens are always obtained through OpenID Connect (OIDC). The authentication token contains user identity information and the IAM attributes assigned to the user.
OIDC clients
To identify the application that performs the authentication, an OIDC client needs to be registered in the Organization’s IAM Realm. An Organization can have multiple IAM Realms; ensure you are using the same Realm as the one used by the Application.
An OIDC client can be configured in the “Clients” tab of the IAM Realm.
Setting up an OIDC connection requires 3 configuration parameters that can be obtained from the OIDC client page:
- Issuer URI
- Client ID
- Client Secret
OIDC configuration can be discovered from the Issuer URI using OIDC Discovery. If OIDC discovery is not supported by your software, you can obtain the authorization and token endpoints manually from the discovery document, but this is not recommended.
Service account authentication
When using service account authentication, the access token is issued with its own privileges instead of with the privileges of a user.
To authenticate as a service account, you need to use the Client credentials grant.
By default, no IAM attributes are assigned to a service account. These need to be set up if the applicable permission policies require it to provide access.
curl https://auth.$REGION.contentgrid.cloud/realms/$REALM/protocol/openid-connect/token \
-u $CLIENT_ID:$CLIENT_SECRET \
-d grant_type=client_credentialsUser authentication
When using user authentication, the access token is issued with the privileges of the user.
To use user authentication, you need to use the Authorization code grant. This flow will necessary include a pass through the user’s web browser as part of the flow to obtain an access token.
Supplying credentials to the application
The access token is supplied to the application by using bearer authorization.
Other methods of supplying access tokens (like an access_token query parameter or form-encoded body parameter) are not supported.
curl -i https://$APP_ID.$REGION.contentgrid.cloud/ \
-H "Authorization: Bearer $TOKEN"
GET / HTTP/1.1
Authorization: Bearer $TOKEN