Inbound OAuth - Client Credentials
Sometimes OAuth clients are acting on behalf of "themselves" as a system, i.e. not authority delegated by other users. The Client Credentials mechanism in OAuth covers this case.
When using Client Credentials, an external system has a single user and role representing "itself" in ONE's system, and it is granted tokens associated with that user/role.
Systems wishing to use Client Credentials to connect should first ask ONE to create an OAuthIBClientApp on their behalf. When creating it, ONE should populate the "ClientCredsUserAssoc" field to identify the user/role which will be associated to the tokens granted.
When the client system needs a token, it should call the /oms/oauth/access_token endpoint. It should provide a parameter grant_type=client_credentials, and should provide its client id and client secret as a Basic Authorization header, i.e. Authorization: Basic value where value = base64encoded(client_id:client_secret).
The /oms/oauth/access_token endpoint will return a token in JSON, which will include the expiry time (in seconds) for the token.
$ curl --request POST --url 'https://rtvn9999.onenetwork.com/oms/oauth/access_token?grant_type=client_credentials' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=client_credentials --data client_id=b9af8498f7127f94830c67f51e7ccf36 --data client_secret=215f93aa68e54c59a83d1cc2434dc9ba{"access_token":"2kj05ko7r302oi879ahfhptnnt","token_type":"bearer","expires_in":3600}With this token in hand, the client can then call APIs, providing the token either as a header or as a parameter, as they prefer.
$ curl https://rtvn9999.onenetwork.com/oms/rest/version?access_token=2kj05ko7r302oi879ahfhptnnt{"Version":"3.2","BuildId":"778925","BuildDate":"2020-08-25T02:56:35-05:00","Module":"Platform"}$ curl -H 'Authorization: Bearer 2kj05ko7r302oi879ahfhptnnt' https://rtvn9999.onenetwork.com/oms/rest/version{"Version":"3.2","BuildId":"778925","BuildDate":"2020-08-25T02:56:35-05:00","Module":"Platform"}