Authentication to the REST services

There are two different methods which can be used to handle authentication to the REST services.

Client Credential Flow

If an authentication endpoint is configured, a callout is made to an OAuth 2.0 service by using the Client Credential flow (see OAuth 2.0 RFE 6749, section 4.4). The authenticated identity information used is obtained from the configured client-id and client-secret. The identity token which is returned from this service is then passed as an authorization header in subsequent calls. For example:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Contro: no-store
Pragma: no-cache

{
      "access_token":"2YotnFZFEjr1zCsicMWpAA",
      "token_type":"example",
      "expires_in":3600,
      "example_parameter":"example_value"

}

IBM Security Verify Access only uses the "access_token" which is returned in the response. It ignores any other fields which are contained in the response.

If an error occurs during authentication a corresponding error page is returned to the client.

Basic Authentication

If an authentication endpoint has not been configured a Basic Authentication token is generated from the configured client-id and client-secret and then passed as an authorization header in subsequent calls.

Parent topic: Password Callouts