oAuth

OAuth is a standard that applications can use to provide the client applications with secure delegated access. Using OAuth, access to client applications is delegated without sharing the password credentials.

AppViewX can be managed using web console and API endpoints.

To improve the security of the API endpoints access, AppViewX has introduced the oAuth Client Credentials Grant Type.

oAuth Sequence Diagram

  1. Client application sends a request to the AppViewX server with a Client ID and Client Secret to get the Access Token.

    API: acctmgmt-get-service-token

    URL: http://localhost:5300/avxapi/acctmgmt-get-service-token?gwsource=web&gwkey=f000ca01

    Method: POST

    Header:

    Basic Authentication : (base64(clientId:clientsecret))

    Payload:
    {
  "payload": {
    "grant_type":"client_credentials"
  }
}
  2. AppViewX validates the Client ID and the Client Secret.
  3. Once the Client ID and the Client Secret are validated by AppViewX, it returns the Access token with the expiry time. This is a JWT token. The client application can decode this JWT token to get all the claims including the expiry time of that token inside the exp claim.
    Response:
    {
"response": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJBcHBsaWNhdGlvbl8xIiwiYXVkIjoiYXZ4IiwiY2xpZW50SWQiOiIwZjM0ZTg0OC1mMDY5LTRjZmItODIwZS0zZGM1M2IzMDE5ZmMiLCJpc3MiOiJhdngiLCJleHAiOjE2NDMxMDc3OTQsImdyYW50IHR5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMifQ.EC6my35MCUsMVC0gsylFqWVzqjgs5Js87Owf1esoano",
"message": null,
"appStatusCode": null,
"tags": null,
"headers": null
}
    Access Token JWT Claims:
    
  "sub": "Application_1",
  "aud": "avx",
  "clientId": "0f34e848-f069-4cfb-820e-3dc53b3019fc",
  "iss": "avx",
  "exp": 1643107794,
  "grant type": "client_credentials"
}
  4. The client application then accesses the API endpoints with the access token in the “token” header of the API. AppViewX provides the response.

Example

Refer to the below sample screenshot for reference.