Join Beta Sign in to Console

Authorize Machine-to-Machine Application

Estimated time: 5–10 minutes

What You Will Build

In this guide, you will configure Mekarge A3 to authenticate a backend application using OAuth 2.0.

Unlike browser-based login flows, the Client Credentials flow does not involve a user login. The backend application authenticates directly using its Client Credentials.

At the end of this tutorial:

  • You will obtain Access Tokens as a backend application.

Quick Concepts

ClientRepresents an application that requests access to APIs
ResourceRepresents a protected API
ScopeRepresents a specific type of access on a Resource

Read more about Architecture and Concepts in Mekarge A3 documentation.

Prerequisites

Quick Start Steps

  • Set Up Environment
    • ⚠ Notes

    Ensure RSASSA-PKCS1-v1_5 using SHA-256 is set as the Access Token Signing Algorithm type

Tooling

  • curl to test configuration endpoints
  • jq (Optional) for better JSON output

Setup Resources & Scopes

  • Sign in to Mekarge A3 Console

1Create API Resource

  1. Navigate to AuthorizationResourcesCreate
  2. Click Create under the API tile
    3. 💡 Hints

    Most of the Token Validation Quick Start guidelines requires Post (Http Body) to be set as the Resource Authentication Type type

  3. Name the new Resource (i.e. My API) and its Resource URI (i.e. api:myapi)
  4. Select a lifetime for Access Tokens issued for this Resource (i.e. 3600)
  5. Click Create
    6. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if Resource URI is taken before

2Add Scope

  1. Navigate to AuthorizationResources
  2. Click at the end of the newly created row and select View Details
  3. Navigate to Scopes tab
  4. Define a Scope (i.e. action:call) under Scope Name and click Create
    5. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
    • Creation will be rejected if same Scope Name is used before

Setup Client

3Create Client

  1. Navigate to AuthorizationClientsCreate
  2. Click Create under the Machine-to-Machine Application tile
  3. Name the new Client (i.e. My App)
  4. Select Post (Http Body) as Client Authentication Type
  5. Click Create
    6. ⓘ Possible Issues
    • Creation will be rejected if you exceed your quota
  6. Navigate to AuthorizationClients
  7. Click at the end of the newly created row and select View Details
  8. Navigate to Permissions tab
  9. Select the Resource (i.e. My API) → Select the Scope (i.e. action:call) → Click Grant

Configure Variables

4Populate the .env File

  1. Navigate to Environments
  2. Click at the end of the current Environment and select View Details
  3. Navigate to URLs tab
  4. Copy the Token Endpoint from Authorization Endpoints to set TOKEN_ENDPOINT section
  5. Navigate to AuthorizationClients
  6. Click at the end of the previously created row and select View Details
  7. Copy the Client Id from Client Credentials section to set CLIENT_ID
  8. Copy the Client Secret from Client Credentials section to set CLIENT_SECRET
  9. Navigate to AuthorizationResources
  10. Click at the end of the previously created row and select View Details
  11. Copy the Resource Uri from Resource Information section to set RESOURCE_URI
  12. Create .env file in your working directory
  13. Fill out the .env file with the information collected above

TOKEN_ENDPOINT=
CLIENT_ID=
CLIENT_SECRET=
RESOURCE_URI=

Test Client

5Send Access Token Request

  1. Load .env file

source .env
  1. Run the following command to get an Access Token

curl ${TOKEN_ENDPOINT} \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=${CLIENT_ID}" \
  -d "client_secret=${CLIENT_SECRET}" \
  -d "resource=${RESOURCE_URI}" \
  | jq
    💡 Hints

    The Resource URI identifies which API the Client wants to access. Although this parameter is optional, it is a good practice to include it. Read more about Resource Indicators in RFC 8707

Summary

What Happened?

  • Mekarge A3 issued an Access Token containing all Scopes granted to the Client for the requested Resource.

Key Takeaways

  • Permissions connect a Client to a Resource Scope.

Next Explorations

  • Try adding more Scopes and granting them to the Client. Observe the changes in scopes after new Access Token issued.