This section describes the OAuth2 Client Credentials grant flow used for server-to-server authentication.

1. Obtaining an Access Token

The Client platform (e.g., a Drupal-based system with Opigno Connect) requests an access token from the Backoffice (Opigno Enterprise API) by providing its client credentials.
YOUR_CLOUD_ENVIRONMENT - Replace with your actual cloud environment URL
POST /oauth/token HTTP/1.1
Host: [YOUR_CLOUD_ENVIRONMENT]
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET
  • grant_type=client_credentials: Specifies the OAuth2 grant type being used.
  • client_id=YOUR_CLIENT_ID: The unique identifier for the client generated during the client creation process.
  • client_secret=YOUR_CLIENT_SECRET: The secret key associated with the client ID. The key should be stored securely, ideally using Drupal’s Key module.
Successful Response:
The server responds with an access token:
{
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600
}

2. Accessing a Protected Resource

Once the Client platform has an access token, it can use it to authenticate API requests to protected resources in the backoffice.
YOUR_CLOUD_ENVIRONMENT - Replace with your actual cloud environment URL
GET /api/1 HTTP/1.1
Host: [YOUR_CLOUD_ENVIRONMENT]
Authorization: Bearer YOUR_ACCESS_TOKEN
Opigno-Client-UUID: 123a456a-123b-123c-123d-************
  • Authorization: Bearer YOUR_ACCESS_TOKEN: The access token obtained in the previous step is included in the Authorization header with the Bearer scheme.
  • Opigno-Client-UUID: 123a456a-123b-123c-123d-************: This custom header specifies the UUID of the user on whose behalf the action is being performed. The backoffice verifies if the authenticated client has permission to act on this UUID.
The Opigno Connect module on the Client platform simplifies the generation and management of these tokens and headers.