Authentication

In order to use the Bosch Semantic Stack services, a valid authentication is needed. The protocol used is OAuth2, implemented through the Authentication/Authorization system.

See also Learn more about the authorization management.

The solution you are building:

  • Needs a client ID which we assume to be named dt-solution in the following example.

  • Also, you will receive a client secret for this client.

  • The client is defined for your tenant, which we assume to be my-tenant.

When requesting a JWT to access the Bosch Semantic Stack services, you need to give the client ID of the target service as audience scope parameter in the token request. We assume the client ID of the target Bosch Semantic Stack service to be target-client-id.

To retrieve a valid JWT, the following call (OAuth2 Client Credentials Flow) needs to be issued (sample given as cURL):

  curl -X POST
  {base-url}/<your-tenant-id>/protocol/openid-connect/token
  -H 'Content-Type: application/x-www-form-urlencoded'
  -H 'cache-control: no-cache'
  -d 'grant_type=client_credentials&client_id=<your-client-id>&client_secret=<your-client-secret>&scope=aud:<target-client-id>'

You’ll receive a JSON structure as a response where the property access_token is the JWT to be used for requests against services like the Digital Twin Registry.

To use the JWT, a request must have the following header set:

  Authorization: Bearer <access_token>

Token Expiry

The JWTs have a rather short lifetime. It is up to you how to resolve token expiry, here are two options:

  • Use the token until a service responds with a 401. In a fallback method retrieve a new token, then retry the request.

  • Within your application, apply a hook or interceptor (most HTTP/REST libraries allow this) to check the token expiry. If the token would expire within, for example, the next 60 seconds, first retrieve a new token, then carry on with the request.