Legacy Identity tokens API v4

This document refers to the legacy token service available via the identity-service. For all new work, please use the OAuth2.1 compliant service available from the accesso-authoization-service. See OAuth2 Access Tokens for more information.

accesso provides an OAuth2-compliant endpoint capable of authenticating against multiple systems. Upon successful authentication, the endpoint returns a JSON Web Token, or JWT, which may be used as a means of authenticating against accesso's APIs.

JSON Web Tokens

accesso’s services issue tokens in the form of JSON Web Tokens, or JWT. Learn more about JWTs and list libraries for working with JWTs.

Tokens API

accesso’s Tokens API is an OAuth2-compliant set of endpoints which enables an authorized user to receive a JWT needed for accesso’s APIs.

The API supports authentication and re-authentication against users stored in accesso’s database as well as users authenticated by federated providers such as Authentic and OpenAM.

The Tokens v4 API supports requests using the password grant, refresh grant, and client-credential grant for anonymous tokens. On success, this endpoint will return an accesso Token object which will contain a JSON Web Token (JWT). All requests to the v4 tokens endpoint can be URL encoded (application/x-www-form-urlencoded) per the OAuth2 standard but can also be in JSON format.

Regardless of the type of authentication, a successful authentication results in an HTTP response status of 200 and the following response payload:

{
    "access_token": "eyJhbGciOiJSUz...",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJSUzI1Ni...",
    "expires_in": 86399,
    "scope": "authenticated openid",
    "account_id": "user@yourcompany.com",
    "user_type": "Guests",
    "venueId": null,
    "organization": "your-company",
    "amr": [
        {
            "authority": "credential"
        }
    ],
    "iss": "https://www.theexperienceengine.com/",
    "phone_number": null,
    "source": "UNKNOWN",
    "iat": 1576075405,
    "email": "user@yourcompany.com",
    "uuid": "404589da-7a39-4e9c-8697-ce05fb57449e",
    "jti": "ec2488b7-f364-437c-a640-204670b9c44d"
}

Notable fields above include:

access_token: Access JWT. Provided to accesso endpoints via the Authorization header.
refresh_token: Refresh JWT. Used to acquire a new access token once the issued one expires.
uuid: ID of the user in the accesso ecosystem.
iat: UTC timestamp, in seconds, at which the access and refresh tokens were issued.
expires_in: Number of seconds before the access token expires. The access token is no longer valid at time iat + expires_in.

The JWTs returned from the tokens API contain all of the data that is also returned in plaintext. It is only necessary to retain the access and refresh tokens.

Authentication types

Anonymous

As there are cases where the caller does not have the information needed to fully authenticate, such as a password, accesso’s Identity APIs provide anonymous tokens. Anonymous tokens are tokens which are associated with a user but not with any credential or personally identifying information (e.g. email). When an anonymous token is requested, a new user is inserted into the database. The ID of the user is then returned along with a valid access token and valid refresh token.

Form URL Encoded

curl --location --request POST 'https://api.{region}.te2.io/v4/tokens' \
--header 'accept: application/json' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {apiKey}' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=anonymous'

JSON version

curl --location --request POST 'https://api.{region}.te2.io/v4/tokens' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {apiKey}' \
--data-raw '{
	"grant_type": "client_credentials",
	"scope": "anonymous"
}'

Parameters used above include:

region: Your region. This is us or ap. If you are unsure which region you are in, contact your assigned Client Engagement Manager.
apiKey: The API key which identifies a particular application or program using the accesso APIs. This information should be provided to you.

Required properties

grant_type - Must be set to “client_credentials”

Optional properties

scope - Must be set to anonymous or omitted altogether. If no scope is requested, the resource server will return the default client-credential scope of ‘anonymous’ along with the ‘openid’ scope.

Required headers

Authorization - Basic authorization with the user being the customer
Content-Type - application/x-www-form-urlencoded or application/json are supported

Because requesting an anonymous token inserts a record into the database, you should request an anonymous token only when absolutely necessary.

Password

Password grant is used in cases where accesso stores a user’s login credentials, such as an email-password combination. The format of this type of authentication is as follows:

curl --location --request POST 'https://api.{region}.te2.io/v4/tokens' \
--header 'accept: application/json' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {apiKey}' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={accountId}' \
--data-urlencode 'password={credential}' \
--data-urlencode 'scope={requested-scope}'

Parameters used above include:

region: Your region. This is us or ap. If you are unsure which region you are in, contact your assigned Client Engagement Manager.
apiKey: The API key which identifies a particular application or program using the accesso APIs. This information should be provided to you.
accountId: User’s account identifier. This will be an email address, phone number, or username. Specifically which one is driven by configuration and must be set up at initial install.
credential: Credential associated with the account. This is a password or passphrase.
requested-scope: if the user has scopes granted other than the default scope, you would request them here.

Required properties

grant_type - Must be set to “password”
username - Username of the the resource owner, typically the user logging into the mobile app.
password - The resource owner’s password.

Optional properties

scope - The scope the user is requesting. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. If no scope is requested, the resource server will return only the the default scopes of ‘authorized’ and ‘openid’ upon successfully authenticating the user.

Required headers

Authorization - Basic authorization with the user being the customer
Content-Type - application/x-www-form-urlencoded or application/json are supported

Federated

In cases where the customer requires a custom Federated solution, a custom grant can be defined for the Federated authentication provider. For some customers, accesso serves as a proxy to another authentication system. That is, accesso is given an account identifier, such as an email, and the actual credential of that account. accesso then forwards the identifier and credential to the third-party authentication system. Accesso then receives a customer-generated token is which is used as a credential to obtain an accesso JWT. The custom_token name of the grant shown below will be customer-specific and must be configured by the accesso implementation team. This JWT response will not contain an ‘openid’ scope.

curl --location --request POST 'https://api.{region}.te2.io/v4/tokens' \
--header 'accept: application/json' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {apiKey}' \
--data-urlencode 'grant_type=custom_token' \
--data-urlencode 'custom_token={custom-credential-token}'

Parameters used above include:

region: Your region. This is us or ap. If you are unsure which region you are in, contact your assigned Client Engagement Manager.
apiKey: The API key which identifies a particular application or program using the accesso APIs. This information should be provided to you.
custom-credential-token: The token issued by the customer for the authenticated user.

Required properties

grant_type - Must be set to the custom customer-specific grant type name provided during implementation, “custom_token” is used for this example.
custom_token - The token issued by the third-party authentication system for the authenticated user. The name “custom_token” is used for this example.

Required headers

Authorization - Basic authorization with the user being the customer
Content-Type - application/x-www-form-urlencoded or application/json are supported

accesso never records or logs the credential of an account when using federated authentication.

Refresh

Access tokens issued by accesso expire after 24 hours. These tokens can be reissued, or refreshed, at any time by using the refresh token which was issued alongside the access token. Refreshing will issue both a new access token as well as a new refresh token.

curl --location --request POST 'https://api.{region}.te2.io/v4/tokens' \
--header 'accept: application/json' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {apiKey}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token={credential}'

Parameters used above include:

region: Your region. This is us or ap. If you are unsure which region you are in, contact your assigned Client Engagement Manager.
apiKey: The API key which identifies a particular application or program using the accesso APIs. This information should be provided to you.
credential: Refresh token.

Required properties

grant_type - Must be set to “refresh_token”
refresh_token - The previously issued refresh token. The accesso token response issues a refresh token in JWT format. The refresh token itself contains the scopes granted.

Required headers

Authorization - Basic authorization with the user being the customer
Content-Type - application/x-www-form-urlencoded or application/json are supported

Unlike most OAuth2 systems, refresh tokens issued by accesso expire after 90 days. At refresh, the caller should always replace their held access and refresh tokens with the new tokens returned.

Service Tokens

The Service Token request is the same as the password grant request, with the added requirement that a scope of ‘admin’ must be requested to indicate that this is a service account with elevated privileges. Documentation regarding service tokens can be found in the Service accounts and service tokens guide.

Additional optional headers

There are several headers which have not been covered in any of the examples above. These headers have special purpose, including specifying which user tags are set and allowing a user to migrate between devices. The following headers are optional on all the variations of the tokens API examples above.

Accept-Language: User language in ISO-639 format. If omitted, this will default to “en”.
app-user-id: If logging in from a mobile app, the device ID from which the login is occurring. If the device currently associated with the user differs from the provided app-user-id, then the user’s record will be updated to reflect the device change. If this header is omitted, no migration will occur.
appID: If logging in from a mobile app, the ID of the mobile app. If provided, this sets a user tag.
X-Channel: Medium by which the account originated. Primarily used for reporting purposes. If provided, expected to be either MobileApp or Website.
X-Source: Origin of account. Primarily used for reporting purposes. If omitted, will be Unknown. If provided, expected to be one of the following:
- LoQueue
- Password
- TE2App
- Thor
- Unknown
X-Venue: Venue at which the account originated. This is primarily used for reporting purposes. If omitted, this will default to a value stored in customer configuration.

Best practices

Do:

reuse anonymous tokens when possible. For example, if you acquired an anonymous refresh token prior to a user logging in, use that anonymous refresh token to fetch a new access token when the user logs out.

Don’t:

fetch an anonymous token unless absolutely necessary.
wait until an access token expires to refresh. Before calling an accesso endpoint, check the expiration of the access token. If the token is within one minute of expiration, refresh the token.