-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: unify API Auth docs (Admin, Camunda 8, and Web Modeler APIs) #4078
Merged
Merged
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
78db6ec
feat: unify API authentication docs (administration/next)
pepopowitz 1bce3b4
feat: unify API authentication docs (modeler/next)
pepopowitz 2f6e2bd
feat: unify API authentication docs (camunda/next)
pepopowitz fef25d0
feat: rewrite saas curl requests for readability and flexibility
pepopowitz f123e72
oops: import dependencies
pepopowitz 9f74a7a
chore: consistent format for substitution values
pepopowitz 55eb693
Merge branch 'main' into pepopowitz/3649-unify-api-auth-docs
pepopowitz d1f2a3b
Update Camunda API client creation instructions
pepopowitz a079315
improve: use actual environment variable names as downloaded from con…
pepopowitz 316beeb
improve: use actual environment variable names as downloaded from con…
pepopowitz d43ee03
improve: use actual environment variable names as downloaded from con…
pepopowitz 1a2b822
improve: better explanation of target URLs (c8 api)
pepopowitz 6e601d3
improve: better explanation of target URLs (web modeler)
pepopowitz cd70c06
improve: no need for variable indirection (admin)
pepopowitz 3299555
docs: use instead of for variables, for readability.
pepopowitz ecd3db6
no port number here
pepopowitz 831074e
feedback: incorporate edits from Operate PR
pepopowitz ec449ec
edit: one more active voice thing
pepopowitz d74d1df
feedback: sync tab sections to each other
pepopowitz c0051fd
chore: backport admin API changes from vNext to vCurrent
pepopowitz 7bbf5e0
chore: backport web modeler API changes from vNext to vCurrent
pepopowitz 1e39ced
Merge branch 'main' into pepopowitz/3649-unify-api-auth-docs
pepopowitz File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,17 +6,72 @@ sidebar_position: 2 | |
| description: "Learn about access tokens and client credentials and scopes to get started with the Administration API." | ||
| --- | ||
|
|
||
| To access the API endpoint, you need an access token. Your client must send a header in each request: | ||
|
|
||
| `Authorization: Bearer <Token>` | ||
|
|
||
| For example, send a request using _curl_: | ||
| All Administration API requests require authentication. To authenticate, generate a [JSON Web Token (JWT)](https://jwt.io/introduction/) and pass it in each request. | ||
|
|
||
| ## Generating a token | ||
|
|
||
| 1. Create client credentials by clicking **Console > Organization > Administration API > Create new credentials**. | ||
| 2. Add permissions to this client for [the needed scopes](#client-credentials-and-scopes). | ||
| 3. Upon creating the client, capture the following values required to generate a token: | ||
| <!-- this comment convinces the markdown processor to still treat the table as a table, but without adding surrounding paragraphs. 🤷 --> | ||
| | Name | Environment variable name | Default value | | ||
| | ------------------------ | -------------------------------- | -------------------------------------------- | | ||
| | Client ID | `CAMUNDA_CONSOLE_CLIENT_ID` | - | | ||
| | Client Secret | `CAMUNDA_CONSOLE_CLIENT_SECRET` | - | | ||
| | Authorization Server URL | `CAMUNDA_OAUTH_URL` | `https://login.cloud.camunda.io/oauth/token` | | ||
| | Audience | `CAMUNDA_CONSOLE_OAUTH_AUDIENCE` | `api.cloud.camunda.io` | | ||
| <!-- this comment convinces the markdown processor to still treat the table as a table, but without adding surrounding paragraphs. 🤷 --> | ||
| :::tip | ||
| When client credentials are created, the `Client Secret` is only shown once. Save this `Client Secret` somewhere safe. | ||
| ::: | ||
| 4. Execute an authentication request to the token issuer: | ||
| ```bash | ||
| curl --request POST ${CAMUNDA_OAUTH_URL} \ | ||
| --header 'Content-Type: application/x-www-form-urlencoded' \ | ||
| --data-urlencode 'grant_type=client_credentials' \ | ||
| --data-urlencode "audience=${CAMUNDA_CONSOLE_OAUTH_AUDIENCE}" \ | ||
| --data-urlencode "client_id=${CAMUNDA_CONSOLE_CLIENT_ID}" \ | ||
| --data-urlencode "client_secret=${CAMUNDA_CONSOLE_CLIENT_SECRET}" | ||
| ``` | ||
| 5. A successful authentication response looks like the following: | ||
| ```json | ||
| { | ||
| "access_token": "<TOKEN>", | ||
| "expires_in": 300, | ||
| "refresh_expires_in": 0, | ||
| "token_type": "Bearer", | ||
| "not-before-policy": 0 | ||
| } | ||
| ``` | ||
| 6. Capture the value of the `access_token` property and store it as your token. | ||
|
|
||
| ## Using a token | ||
|
|
||
| Include the captured token as an authorization header in each request: `Authorization: Bearer <TOKEN>`. | ||
|
|
||
| For example, to call the Administration API's `/members` endpoint, send the following request: | ||
|
|
||
| ```shell | ||
| curl -X POST -H -H :accept: application/json" -H "Authorization: Bearer <TOKEN>" -d '' http://api.cloud.camunda.io/clusters | ||
| curl --header "Authorization: Bearer ${TOKEN}" \ | ||
| https://api.cloud.camunda.io/members | ||
| ``` | ||
|
|
||
| A successful response would include [a list of organization members](https://console.cloud.camunda.io/customer-api/openapi/docs/#/default/GetMembers). For example: | ||
|
|
||
| ```json | ||
| [ | ||
| { | ||
| "name": "User Userton", | ||
| "email": "[email protected]", | ||
| "roles": ["admin"], | ||
| "invitePending": false | ||
| } | ||
| ] | ||
| ``` | ||
|
|
||
| For all requests, include the access token in the authorization header: `authorization:Bearer ${TOKEN}`. | ||
| ## Token expiration | ||
|
|
||
| Access tokens expire according to the `expires_in` property of a successful authentication response. After this duration, in seconds, you must request a new access token. | ||
|
|
||
| ## Client credentials and scopes | ||
|
|
||
|
|
@@ -40,25 +95,6 @@ A client can have one or multiple permissions from the following groups: | |
|
|
||
| The full API description can be found [here](https://console.cloud.camunda.io/customer-api/openapi/docs/#/). | ||
|
|
||
| :::note | ||
| After client credentials are created, the `Client Secret` is only shown once. Save this `Client Secret` somewhere safe. | ||
| ::: | ||
|
|
||
| ## Access token | ||
|
|
||
| Once you have your client credentials, you can retrieve an access token using the following command: | ||
|
|
||
| ```bash | ||
| curl --header "Content-Type: application/json" \ | ||
| --request POST \ | ||
| --data '{"grant_type":"client_credentials", "audience":"api.cloud.camunda.io", "client_id":"XXX", "client_secret":"YYY"}' \ | ||
| https://login.cloud.camunda.io/oauth/token | ||
| ``` | ||
|
|
||
| :::note | ||
| Access tokens have a validity period found in the access token. After this time, a new access token must be requested. | ||
| ::: | ||
|
|
||
| ## Rate limiting | ||
|
|
||
| The OAuth service rate limits about one request per second for all clients with the same source IP address. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Idea - Could be fancy here and get a variable for the product version 🤷♀️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, in general I didn't feel great about these sample API responses. I want to show enough that it's useful, but not so much that people get lost in the details or it's drifting from the real response.