Skip to main content
Version: 1.0.0

Authentication

Oauth2

Iopole APIs uses OAuth 2.0 protocol with flow client_credentials in order to authenticate and restrict access to the solution.
This protocol impose you to ask for a token before using our APIs.

ParameterValueMandatoryDescription
client_idThe Client IDyesThe ID of the requesting client
client_secretThe client secretyesThe secret of the client
grant_typeclient_credentialsyesTells the token endpoint to perform the Client Credentials flow.
scopeSpace separated string of scopesnoList the scopes the client is requesting access to.

RFC Documentation

Parameter : https://www.rfc-editor.org/rfc/rfc6749#section-4.4
Response : https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3


Information
The Client credentials flow allows you to obtain a token for a duration of 10 minutes, after which you will need to request a new one.

Example request for obtaining a token:


const got = require('got');
const token = await got.post('https://auth.ppd.iopole.fr//realms/iopole/protocol/openid-connect/token', {
form: {
grant_type: 'client_credentials',
client_id: 'clientId',
client_secret: 'clientSecret'
},
headers: {
'Content-type': 'application/x-www-form-urlencoded'
}).json()

Restricted access

Iopole APIs are restricted for some roles.

There are two main roles: administrator (admin) and user.

  • The role administrator give the permission to manage the customization of Iopole. For example it allows to add a webhook, or add a new participant.

../assets/swaggerOperatorConfigurationApi.png

  • The role user allows you to send an invoice, send a status, or look into the directory

assets/swaggerOperatorInvoicingApi.png

Danger
Security Notice - Client Secret Management
The client secret provided for the OAuth2 Client Credentials flow must be stored securely. If you believe the client secret has been compromised, or if there is a suspicion that it might be, please contact our team immediately to request a rotation. Ensure the client secret is never exposed in logs, code, or unsecured locations