Authentication

In order to use the Bosch Semantic Stack services, a valid authentication is needed. The protocol used is OAuth2, implemented through the Authentication/Authorization system.

The solution you are building needs:

  • client ID (your-client-id)

  • client secret (your-client-secret)

  • These client credentials are defined for your tenant (your-tenant-id)

See Add a module to your tenant if you do not have any credentials yet.

When requesting a JWT to access the Bosch Semantic Stack services, you need scope the token:

  • Set the client ID of the target service as audience scope (target-client-id):

    • Digital Twin Registry: bqfin42m7vho1k7r2srjrge28

    • Aspect Model Catalog: q8f6z22otkd7137qlsykwckuc

  • Set openid scope

To retrieve a valid JWT, the following call (OAuth2 Client Credentials Flow) needs to be issued (sample given as cURL):

  curl -X POST \
  https://portal.bosch-nexeed.com/iam/access-management/v1/tenants/<your-tenant-id>/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'grant_type=client_credentials&client_id=<your-client-id>&client_secret=<your-client-secret>&scope=aud:<target-client-id>%20openid'

You’ll receive a JSON structure as a response where the property access_token is the JWT to be used for requests against services like the Digital Twin Registry.

To use the JWT, a request must have the following header set:

  Authorization: Bearer <access_token>

Token Expiry

The JWTs have a rather short lifetime. It is up to you how to resolve token expiry, here are two options:

  • Use the token until a service responds with a 401. In a fallback method retrieve a new token, then retry the request.

  • Within your application, apply a hook or interceptor (most HTTP/REST libraries allow this) to check the token expiry. If the token would expire within, for example, the next 60 seconds, first retrieve a new token, then carry on with the request.