Skip to main content

API Authentication

Similar to every component of Osie, the API service relies on a third party OpenID Identity Provider for authenticating the requests.
Once you have generated a JWT access_token through the Identity Provider, you can pass it as an Authorization: Bearer <access_token> header to every API request.

By default, the Helm Chart installation configures Keycloak as the OpenID provider for the API as well.

If you choose to use another OpenID identity provider, the API service can be configured accordingly.

API Credentials from Keycloak

By default, Osie expects you to an API client_id osie-admin-api. That can be changed as described below.

You need to login to Keycloak as an admin, then Navigate to the master realm > Clients and create a osie-admin-api client.

1. Create the API client

create osie-admin-api client

Enable the Service account option

2. Enable the client_credentials flow

  • enable "Client authentication" option
  • enable "Service account roles" option

create osie-admin-api secret

3. Grab the client_id and client_secret

osie-admin-api

Generate an access token

curl --location 'https://<your-keycloak-endpoint>/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=osie-admin-api' \
--data-urlencode 'client_secret=<client_secret_revealed>' \
--data-urlencode 'grant_type=client_credentials'

The response will give you the access token.

{
    "access_token": "the_jwt_access_token",
    "expires_in": 3600,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "profile email"
}

Please note that the access_token expires. Make sure you always call the APIs with a valid access_token, otherwise it will return a 401 Unauthorized response.

Call an API Endpoint

curl --location 'https://demo.osie.io/public/admin/v1/projects?limit=10' \
--header 'Authorization: Bearer the_jwt_access_token'

Using another OpenID provider

It is possible to use the OpenID provider of your choice. To make the API service relies on your chosen OpenID provider, you need to modify the values.yaml file at this section:

...

adminApi:
  oauth2:
    clientId: "osie-admin-api" # the client_id used to generate the access_token
    issuerUri: https://your-openid-provider.com/ # the JWT issuer

See the default values.yaml configuration of the Helm Chart.