Question

Machine to Machine with openID


Userlevel 3
Badge +3

I've created a client application that is supposed to log every x minutes in the thinkwise database to know it's alive. 

There will be around 1500 clients that would basically use the same access token, as I will use a local parameter to diferentiate the different logs. 

To prevent having 1500 logins every x minutes, I presume it's preferable to use the token / refresh token. 


I'm trying to configure the opeid Machine-Machine integration as described here:
Client applications | Thinkwise Documentation (thinkwisesoftware.com)

The big question for me is: Now what? 

I've looked for documentation about how to test the configuration in insomnia/postman, but I've not found any help here. 

 

Could you help me with these questions for configuring in insomnia: 
To use the oauth 2.0 flow with client credentials 

1 - I set the url the url I want to retrieve access from: GET <base_url>/organizations
2: granType: Client credentials
3. access token url: WHAT SHOULD THIS BE?
4.
client id: I presume this should be what is configured in the field “client”in the client application configuration? 
5. I filled the configured secret here
 

Could you help me with this configuration?

 


10 replies

Userlevel 6
Badge +4

Hello @tiago,

You're almost there. To your points:

  1. Correct.
  2. Correct.
  3. The URL is /connect/token, prefixed of course by the root URL of your Indicium.
  4. Correct.
  5. Correct.

I hope this helps.

Userlevel 3
Badge +3

Hey Vincent,

Mis ik nog iets? 

moet scope nog gevuld worden? 


 

 

Userlevel 6
Badge +4

Hello @tiago,

You will need to remove the /iam/par sections from the Access Token URL.

Userlevel 4
Badge +2

Additionally, the BearerTokenAuthority needs to be configured in the appsettings.json

Or you will get an error something like:

Bearer error="invalid_token", error_description="The issuer 'https://localhost:5001' is invalid"

 

So in your case you can add, where <server> is the hostname of your server.

"BearerTokenAuthority": "https://<server>/indicium",

 

Userlevel 4
Badge +2

I read your first post again, it seems you are trying to make sure that Indicium can access the database.

Did you read about our Health check endpoint? It might be enough for your use case.
Users without authentication (or without developer rights) just get a Status: Healthy/Degraded back.

Endpoints | Thinkwise Documentation (thinkwisesoftware.com)

Or the release notes of the feature: Release notes Indicium (2023.3.11) | Thinkwise Community (thinkwisesoftware.com)

Userlevel 3
Badge +3

@Vincent Doppenberg thank you again. 

<base_url>indicium/connect/token gives a 404
<base_url>indicium/iam/connect/token gives a 401
<base_url>indicium/iam/par/connect/token gives a 401
 

Should there be any adjustements in some config file, like @Dick van den Brink  suggested? 

Userlevel 3
Badge +3

@Dick van den Brink thanks for thinking along :-)

I actually want to do inserts and updates in the database, so authentication is required. in the POC for the customer I'm using basic authentication with username and password, to do an insert in the db every 5 minutes. 

But this seems like overkill for a possible scenario where there will be around 1500 clientes. 

Userlevel 6
Badge +4

Hello @tiago,

It seems like you haven't configured a Client Application in IAM. Where did you get the client ID and client secret from? Did you perhaps configure an OAuth Server in the Software Factory?

To make this work, you will have to configure a Client Application, documentation on which can be found here. When configuring the Client Application, make sure that the Enabled checkbox is checked as well. Also note that adding or changing a Client Application in IAM requires a restart of Indicium to take effect.

Once you have configured the Client Application in IAM and restarted Indicium, you should be able to visit the following URL in the browser:

https://<base_url>/indicium/.well-known/openid-configuration

If this URL doesn't serve you a JSON document, then I'm inclined to think that there might be something going wrong with routing or processing at the web server level.

If you do get a JSON document, you will find a token_endpoint property in it, which contains the Access Token URL that Insomnia expects. This URL should be equal to:

https://<base_url>/indicium/connect/token

If the URL is different than this (i.e. it's http instead of https, the domain name is different or the /indicium base path is different), then this could indicate a problem with or a lack of reverse proxy settings.

Should there be any adjustements in some config file, like @Dick van den Brink  suggested?

Yes, Dick is correct that this setting needs to be added to the appsettings.json file of Indicium in order for authentication with an access token to succeed.

I hope this helps.

Userlevel 3
Badge +3

Ah, probably it's the restart is missing. 

 

 

Userlevel 3
Badge +3

It was indeed the restart that I was not aware of. The url https://<base_url>/indicium/.well-known/openid-configuration now responds and I get an access token. 

Now apparently I need to wait for my colleague to return from Holidays how we can do that. 

I most definitely wouldn't have been able to figure this out by using the documentation. Thanks @Vincent Doppenberg and @Dick van den Brink to be continued. 

 

 

Reply