The implementation in this app is sending an Http request to OpenID Identity Server using the class of type TokenClient. This type is provided by the NuGet package named "IdentityModel".
The TokenClient class has a parameter constructor that requires 3 parameters: ClientID, ClientSecret, and the URL of the OpenID Identity Server Token endpoint.
After constructing the TokenClient object, the authorization request can be sent with the required scope name. The C# implementation code as below:
| (_OpenIDSiteUrl + "identity/connect/token"), | //URL to token endpoint |
| UserID, | //ClientID |
| Password); | //ClientSecret |
| TokenResponse response = await tokenClient.RequestClientCredentialsAsync( "ODataApi"); | //"ODataApi" is the required scope name |
To get an access token through this app, the client applications should have been registered with OpenID Identity Server.
Client applications must be registered with OpenID Identity server before it can work with OpenID Identity server.
If you are taking part in our alpha phase, CRMLS has pre-registered your account and you should have received an email with your pre-registered credentials.
The client applications have been registered as Client Credentials Flow and with the required scope name of ODataApi. The client claims should include the ClientClass claim.
When an authorization request (http request) is submitted, OpenID Identity Server will validate the authorization request by checking ClientID, ClientSecret, and the required Scope name. The access token will only be issued if the request is validated.
The access token should be sent as a Bearer parameter in the Authorization Http header of the http request sent to OData Web API service.
The access token presented to the OData Web API is either a JWT token or a Reference type token. Each client app has its own settings that determine the type of access token will be issued by identity server. The CRMLS System Admin has control to change the settings for each client app.
For a JWT token, The API verifies the JWT signature, the scope name, and time stamps to determine if the JWT token is valid. In the case of reference token, the API will send a Http request that contains the reference token to OpenID identity server introspection enpoint, OpenID will validate the token and return the JSON payload that contains various claims regarding the authenticated Client App.
Special Note: The access token will always expire in one hour from the timestamp the token was generated. You can either come back here to receive a new token or send an http request in your client application to the token endpoint.
The ClientClass claim indicates the authorization privilege of the client, and the ClientID claim value is used in logging information to indicate the client app that sent the query request to the OData Web API.