Customer Authentication

Get a token with Customer type clients

Customer authentication is used primarily for users that wants to access to login in web or app. Customers must login through customer type clients. For this, it’s necessary to use client_id and client_secret provided by Authn members.
When an user logs in, Authn uses client_id and client_secret of the client previously provided to retrieve the tenant associated with this client, and, then, it performs login itself, login checks the username and password of the customer in the database schema of the tenant previously found.

Customer Authentication flow

In this graph can be seen all the differents flows involved in token obtaining

sequenceDiagram participant Customer participant Client participant Authn Customer->>Client: Login(username,password) Client->>AuthN: POST(username,password,base64(client_id:client_secret)) AuthN->>AuthN: getAuthn(ClientBasic) AuthN->>Mas-Credentials: Login(username,password,tenant) Mas-Credentials-->>AuthN: OK AuthN-->>AuthN: SaveRefresh(refresh_token) AuthN-->>Client: OK,(access_token,refresh_token)

warningWarning

To use this authentication method, a customer type client must be created. Clients are provided by the MasStack team after carefully auditing each use case so please contact your MasStack representative to obtain your client secrets.

How to obtain an access_token and refresh_token

Step 1 Obtain client_id and client_secret

Customers Type Clients can be provided by the MasStack Owners. This team must be contacted in order to get those secrets.

When a client is created, Authn will provide:

1
2
3
4


{
    "client_id": "Rgj3HJDSV6M62nv",
    "client_secret": "Pkchr74bloe99vwcvKAPFGDF61W55XzV="
}

A good practice is to store this parameters in different variables to have quickly access to this information because it will be needed in next steps.

Step 2 Create the HTTP Basic Auth header

In Postman, setting a basic header is as simple as setting Authorization to type Basic Auth, then you should pass the client_id as Username and client_secret as Password.

If you are not using Postman, you should:

Concatenate: client_id + “:” + client_secret
Encode all in base64

Step 3 Make a request to Authn

Once you have a variable with the HTTP Basic Auth header you should make a login request such as:

Name	Description
grant_type	parameter defines the OAuth2 flow that is going to be used; in this case `password`.
password	Customer password received.
username	Customer username received.

1
2
3
4
5
6


curl --location --request POST 'https://{{authn_host}}/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {{ClientBasic}}' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'password={{password}}' \
--data-urlencode 'username={{username}}'

In case that client authentication and user authentication work fine Authn will respond with a couple of access_token and refresh_token:

Name	Description
access_token	is a signed JWT used by a user to authenticate himself against Istio’s service mesh.
refresh_token	is a signed JWT whose main goal is to obtain a new access_token without repeating customer authentication once the user has an active session.
expires_in	is the time that the access_token will be valid. Once it expires, the access_token won’t be valid and the user won’t be able to authenticate with it.
token_type	defines the type of the access_token that has been generated. This will normally be used in the Authorization header to indicate which kind of authentication has the request.

1
2
3
4
5
6


{ 
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4ZmJkMzJkLTE4NTEtNDhmZS1hMDZmLWM1MjIwMDBhM2JhZiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJnbW5mbS5hdXRoLm1hc21vdmlsLmNvbSIsImNpZCI6ImNXejhISmNCelZzMnUwWXRzTzVsIiwiZXhwIjoxNjMzMDc1NzkwLCJncm91cHMiOiJjdXN0b21lciIsImlhdCI6MTYzMzA3MjE5MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MDQwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY2FybG9zLmNhdmFkYS1tYXNtb3ZpbC5jb20iLCJzY29wZSI6ImFwaTpldmVyeXRoaW5nIiwic3ViIjoiY2FybG9zLmNhdmFkYUBtYXNtb3ZpbC5jb20iLCJ0ZW5hbnQiOiIzIiwidGVuYW50cyI6InYxOjoxMDAiLCJ0aWQiOiIzYzhhMjljZC05ZGE2LTRmMDgtOTM1NC04NGJiYjVlNTA1ZmEifQ.O0dJsDs6Xg_FXj99S3z9HJEmkflqgcfDhOHDFYWH4-I08zacE32YBXRWjHTwY-7Uv1NsAet0WaKic4NE_jFHUZ0H86KheJyhaFUU8ddGi-NyagmARIKCCuSO8Dla6mhBQiDP5V4p96WOwdNFc2E3etPrz-y2q6ZkH2g6DDXTh7OrUnNbZ6Cj0Lc894BgEQOkfxcNAu53w3k8ZBvJm01FpO1h7MbVvxTReF2tlxN8zdDnjdUBvGdsQLhNNU9Nz5NpoqU8DkbHl6OSxVQyYf-oGMLBNzBNsJMVF-mP2CTrS85UqsAf24sKDTGGTVzqpku2KTE1oIFkSrDFpixhZe0blQ",
    "expires_in": 3600,
    "refresh_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4ZmJkMzJkLTE4NTEtNDhmZS1hMDZmLWM1MjIwMDBhM2JhZiIsInR5cCI6IkpXVCJ9.eyJjaWQiOiJjV3o4SEpjQnpWczJ1MFl0c081bCIsImV4cCI6MTYzMzE1ODU5MCwiaWF0IjoxNjMzMDcyMTkwLCJzdWIiOiJjYXJsb3MuY2F2YWRhQG1hc21vdmlsLmNvbSIsInRpZCI6IjNjOGEyOWNkLTlkYTYtNGYwOC05MzU0LTg0YmJiNWU1MDVmYSJ9.N-SIccZYT4Vqm_vAc2TwinylHm-S7QExqmsse7ZfrZwgVH10XzTHmsj-WvFBXIFNLJ8dtw-IIyrDzrrAGztTMq-1o2GCu0x1yzVOwkBuu-eQd8jTrhEr_ryu34mDV4mYhwtN4cA-zIE1zwqsFv6Ho6MYbIb-IvBuXNH_he1tB3QEV6ftRuV14odpWDruUTQrLBMLV54QGmtXffRXUp5kaK_8usr8aLDQHkxsKrbmuU9U-R1ABaiMQTXdy3wZ0gE54Oh-xlB_OYWxygoFYHcdqqiML6Npjxcz6HNxPB4iNWrli2TE3FHKlKdHkW390K3CRbsy0n3rVrYlQff_4ph1aA",
    "token_type": "Bearer" 
}

If the response includes an access token, you can use the access token to call a MasMovil API. (If the response does not include an access token, your JWT and token request might not be properly formed

When the access token expires, you should request another access_token with refresh_token grant

How to obtain new tokens with refresh_token flow

When an user logs in Authn a session is stored in redis. It means that when access_token expires client must use refresh_token obtained in the login to obtain a new couple of access_token and refresh_token, everything without involving the user and without using any kind of password, just client authentication.

To obtain new access_token and refresh_token you should make a request like:

Name	Description
grant_type	parameter defines the OAuth2 flow that is going to be used; in this case `refresh_token`.
refresh_token	Token obtained during customer authentication.

1
2
3
4
5


curl --location --request POST 'https://{{authn_host}}/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {{ClientBasic}}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token={{refresh_token}}'

As before, Authn will provide you:

1
2
3
4
5
6


{ 
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4ZmJkMzJkLTE4NTEtNDhmZS1hMDZmLWM1MjIwMDBhM2JhZiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJnbW5mbS5hdXRoLm1hc21vdmlsLmNvbSIsImNpZCI6ImNXejhISmNCelZzMnUwWXRzTzVsIiwiZXhwIjoxNjMzMDc1NzkwLCJncm91cHMiOiJjdXN0b21lciIsImlhdCI6MTYzMzA3MjE5MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MDQwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY2FybG9zLmNhdmFkYS1tYXNtb3ZpbC5jb20iLCJzY29wZSI6ImFwaTpldmVyeXRoaW5nIiwic3ViIjoiY2FybG9zLmNhdmFkYUBtYXNtb3ZpbC5jb20iLCJ0ZW5hbnQiOiIzIiwidGVuYW50cyI6InYxOjoxMDAiLCJ0aWQiOiIzYzhhMjljZC05ZGE2LTRmMDgtOTM1NC04NGJiYjVlNTA1ZmEifQ.O0dJsDs6Xg_FXj99S3z9HJEmkflqgcfDhOHDFYWH4-I08zacE32YBXRWjHTwY-7Uv1NsAet0WaKic4NE_jFHUZ0H86KheJyhaFUU8ddGi-NyagmARIKCCuSO8Dla6mhBQiDP5V4p96WOwdNFc2E3etPrz-y2q6ZkH2g6DDXTh7OrUnNbZ6Cj0Lc894BgEQOkfxcNAu53w3k8ZBvJm01FpO1h7MbVvxTReF2tlxN8zdDnjdUBvGdsQLhNNU9Nz5NpoqU8DkbHl6OSxVQyYf-oGMLBNzBNsJMVF-mP2CTrS85UqsAf24sKDTGGTVzqpku2KTE1oIFkSrDFpixhZe0blQ",
    "expires_in": 3600,
    "refresh_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4ZmJkMzJkLTE4NTEtNDhmZS1hMDZmLWM1MjIwMDBhM2JhZiIsInR5cCI6IkpXVCJ9.eyJjaWQiOiJjV3o4SEpjQnpWczJ1MFl0c081bCIsImV4cCI6MTYzMzE1ODU5MCwiaWF0IjoxNjMzMDcyMTkwLCJzdWIiOiJjYXJsb3MuY2F2YWRhQG1hc21vdmlsLmNvbSIsInRpZCI6IjNjOGEyOWNkLTlkYTYtNGYwOC05MzU0LTg0YmJiNWU1MDVmYSJ9.N-SIccZYT4Vqm_vAc2TwinylHm-S7QExqmsse7ZfrZwgVH10XzTHmsj-WvFBXIFNLJ8dtw-IIyrDzrrAGztTMq-1o2GCu0x1yzVOwkBuu-eQd8jTrhEr_ryu34mDV4mYhwtN4cA-zIE1zwqsFv6Ho6MYbIb-IvBuXNH_he1tB3QEV6ftRuV14odpWDruUTQrLBMLV54QGmtXffRXUp5kaK_8usr8aLDQHkxsKrbmuU9U-R1ABaiMQTXdy3wZ0gE54Oh-xlB_OYWxygoFYHcdqqiML6Npjxcz6HNxPB4iNWrli2TE3FHKlKdHkW390K3CRbsy0n3rVrYlQff_4ph1aA",
    "token_type": "Bearer" 
}