Skip to main content

Authentication

The archrepo API is protected by OAuth2. The publisher authenticates with the client credentials grant: it obtains an access token from the configured token endpoint and sends it as a bearer token (OAuth2ClientCredentialsRestClientInitializer).

Client registration

The publisher resolves the OAuth2 client registration whose id equals jeap.archrepo.oauth-client (default archrepo-client) from Spring Security's ClientRegistrationRepository. That registration must exist under spring.security.oauth2.client.registration. If it is missing, application startup fails with an explanatory IllegalStateException.

spring:
security:
oauth2:
client:
registration:
archrepo-client:
client-id: ${your-keycloak-system-name}-archrepo-client
client-secret: ${your-secret}
scope: openid
authorization-grant-type: client_credentials
provider: archrepo-client
provider:
archrepo-client:
token-uri: https://internal.keycloak.mycompany.ch/realms/bazg-applicationplatform/protocol/openid-connect/token

The token-uri differs per environment. Examples:

Environmenttoken-uri
devhttps://internal-csp.applicationplatform-dev.mycompany.ch/applicationplatform-oauth-mock-service/oauth2/token
ref / abnhttps://internal.keycloak-{env}.mycompany.ch/realms/bazg-applicationplatform/protocol/openid-connect/token
prodhttps://internal.keycloak.mycompany.ch/realms/bazg-applicationplatform/protocol/openid-connect/token

Required role

The OAuth2 client must be granted the archrepo role that authorizes writing OpenAPI specifications:

<arch-repo-system-name>_@openapidoc_#write

Replace <arch-repo-system-name> with the system name of the target architecture repository. See the archrepo Rest API Documentation for details.