Authentication

Overview

ClearID leverages OAuth 2.0 to implement machine-to-machine authentication.
There are 2 different ways you can authenticate your API ClearID with ClearID
Authenticate with client secret
Authenticate with JWT assertion

Both methods retrieve a bearer token and provides exactly the same functionality.

JWT Assertion
Certain developers will prefer JWT assertion because there's no secret transmitted, it leverages a private key to sign the assertion token and the server only validate with the public. Create a JWT assertion token is a bit more complex and less standardize.

Client ID and secret
On the other hand, there are a lot of library and examples on how to authenticate with Client Secret and Client ID in OAuth and it's quite simple even without a library.

In both case, the Token service will return a JSON that contains the bearer token and the expiration which is usually one hour.

{
  "access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjIwMTgtMDEtMjYtaWFtcy1zaWduaW5nLWNyZWRlbnRpYWwiLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE2NDAwMzAxMjIsImV4cCI6MTY0MDAzMzcyMiwiaXNzIjoiaHR0cHM6Ly9zdHMtZGVtby5jbGVhcmlkLmlvIiwiY2xpZW50X2lkIjoiNjYyNTIyMWYtNGU2Ni00YmM4LTgzMDUtY2I4Y2JkODdiMjFmOmNsZWFyaWRkZW1vcyIsInN1YiI6IjY2MjUyMjFmLTRlNjYtNGJjOC04MzA1LWNiOGNiZDg3YjIxZiIsImF1dGhfdGltZSI6MTY0MDAzMDEyMiwiaWRwIjoibG9jYWwiLCJlbWFpbCI6IjY2MjUyMjFmLTRlNjYtNGJjOC04MzA1LWNiOGNiZDg3YjIxZiIsInJvbGUiOiJTZXJ2aWNlIiwiYWNjb3VudF9pZCI6ImNsZWFyaWRkZW1vcyIsImNsZWFyaWRkZW1vc19zdGF0ZSI6IkFjdGl2ZSIsImNsZWFyaWRkZW1vc19yb2xlIjoiYWRtaW4iLCJjbGVhcmlkZGVtb3NfaXNfZGVsZWdhdGUiOmZhbHNlLCJqdGkiOiIwMDUwRjA3ODk2MjRCNjlGREM5NjFEMTA4QkQ1RDc3MiIsImlhdCI6MTY0MDAzMDEyMiwic2NvcGUiOlsiaWFtcy1hbGwtcGVybWlzc2lvbnMtZGVsZWdhdGVkIiwiaWFtcy1hcGkiLCJpYW1zLXJvbGVzIiwib3BlbmlkIl0sImFtciI6WyJhc3NlcnRpb24iXX0.kO3QzR9KP8pQxu4juBtpotk1Gdfpt095f9V8Xx75tW3ZzjK5kNB8ZEjJKe34p8oe_YAou_6xFL_lrIc3L0X4I9qJaV-8RDnCzyw2hWw2Vh4TGpwNgfM-BE6e7NZzfvWsmByYCrQQqLNqtKyPirjNgYeO_dLtGdfSbHpBayV7r-nuurGNAc1I0Y5wtoo6vbuKtmXCYl59mD22kYE4o2ucVtt94P8RkoXPD6eTY0TNB-C1e1IQyGrMdlqcmff9TiUhrAIwSWmxr4E-4JlYdVqahZoLSg2ZnmpnSCAnQbCy568SEa-is9WbSO2LNhsKBW7_URa7rQ2-oDyC8h2pCDFXhg",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "iams-all-permissions-delegated iams-api iams-roles openid"
}

How to find the STS base address, client_id, accountid, kid, key to sign...

In order to build generic code that can work with any ClearID customer, the code you developed should not contain a hardcoded base URL, account ID, or cryptographic keys...

The administrator of a ClearID Account can download a JSON file that your integration should be able to use a configuration file. That JSON files can be downloaded by any administrator of the ClearID account in Administration -> Automation.

After creating a Service User on the automation page, you can generate a new key. You will then have the option to download the authentication which is a very useful JSON document

922922