Authorization

All requests to the API of the Digital Twin Registry must be authorized by including the 'Authorization' HTTP header with the value 'Bearer token', where the token is a valid Java Web Token (JWT).

The JWT is obtained from the KeyCloak API either using the Implicit Flow or the Client Credentials Flow depending on whether a user or a service wants to access the Digital Twin Registry.

Implicit Flow

Implicit Flow

The authorization URLs for the Implicit Flow and the Client Credentials Grant can be found here.

Client Credentials Flow

Client Credentials Flow

Roles

The roles assigned to a client or user are included in the token issued by KeyCloak. The Digital Twin Registry extracts the roles from the token to authenticate the client or user.

Find a detailed description of all roles at Concepts > Authorization.