Skip to content

Authentication

The user is authenticated through our SSO platform based on the standard OAuth 2.0. Together with the access data and the desired authorizations, the user receives a temporary key, the access token, from this platform. This token is then supplied in all requests to the OAID API and used there for authorization purposes.

Access Credentials

client_id and client_secret identify the user to the SSO platform. You receive these once at the beginning of the contract period.

Important

The access credentials are to be kept secret under all circumstances.

Even the OFAA does not have access to the individual access credentials!

Transmission of the Access Credentials

For the secure transmission of this data, you will receive a so-called Single-use link, a service provided by Infomaniak. This link is valid for ONE week and may only be opened ONCE. Such a link may look like the following (link is shortened):

    https://kpaste.infomaniak.com/EavRvI-sAsI_kbx1.....x7iffgiyW

By opening the link and following the instructions, you will receive the access credentials. To prevent the link from being opened unintentionally, you must enter the password that was additionally sent. COPY the content to a secure location, you will not be able to open the link a second time.

Zugangsdaten erhalten

The account credentials are represented as text in TOML Format. TOML can be used by most scripting languages directly or via libraries. If not, you can simply copy the values.

Important

Save the credentials in a secure location.
Use established methods (e.g. Environment Variables) in your application.

Error Message

If you receive an error message when opening, either the time has expired or the link is suspected to have been opened already. In these cases, please get in touch with your contact person to create new credentials.

Fehler

Access Token

To use the API, a valid access token is required. This token is - in encoded form - proof of identity and contains all the necessary information for authorization. This takes place implicitly with every API call.

Access Token

In technical terms, this is a JSON Web Token (JWT).
This can be parsed via standard JWT libraries or online.

An access token can be used for several successive calls. The validity period is 300 seconds. It is NOT necessary to generate a new token before each call. Only when the validity period expires should a new key be generated and used.

Tip

Reusing the access token significantly speeds up API actions.

To obtain a valid token, you need:

  • client_id,
  • client_secret and
  • scopes

The client_id and client_secret are received once at the beginning of the contract period and are known only by you. The required scopes depend on the application. Scopes are comparable to authorizations that the user receives with the access token.

An overview of the possible scopes can be found directly in the API Documentation and at each endpoint.

Ein Scope

An interaction with the API with read-only access, for example, requires read-only permissions. To generate a code, write permissions are also required.

Recommendation

Provide an application only with the scopes it needs!

Example Access Token

Create access tokens with read permissions (= scopes) oaid:mgm:read and oaid:codes:read.

$ curl --request POST \
$   --location "https://sso.yio.at/auth/realms/oaid/protocol/openid-connect/token" \
$   --header "Content-Type: application/x-www-form-urlencoded" \
$   -d "client_id=:your client_id:&client_secret=:your client_secret:&grant_type=client_credentials&scope=oaid%3Amgm%3Aread%20oaid%3Acodes%3Aread" 
---> 100%

{
  "access_token": "eyJhbGciOiJSU...baVQ",
  "expires_in": 300,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "email oaid:mgm:read oaid:codes:read profile"
}

Copy the value of the access_token field from the response and insert the string at the placeholder in the HTTP Header Authorization:

$ curl --request GET --location "https://api.oaid.at/v2/pip/codes/" \
$  --header "Authorization: Bearer <insert_access_token>" \      
...