Authentication

Learn how to retrieve access tokens.

Overview

The ProcessMaker IDP API uses OpenID Connect for authentication. OpenID Connect (OIDC) is an authentication protocol that is an extension of OAuth 2.0.

Below is OpenID Connection configuration base URL to get details about all security endpoints:

https://{idp-keycloak}/auth/realms/{realm}/.well-known/openid-configuration

The ProcessMaker IDP REST API uses Keycloak's implementation of OIDC. For more info about Keycloak, please refer to the official documentation.

Retrieve an Access Token

Keycloak Server OIDC URI endpoints are relative URLs. The ProcessMaker IDP REST API supports grant types that Keycloak supports. By default, this API uses password credentials as the grant type.

Prior to sending an initial request to Keycloak for an authentication token, ensure that you have the following:

• Username and password when using password credentials as the grant type

• Your IDP instance's Client Secret

Keycloak can obtain the client ID from a request in either of the following ways:

• The client_id parameter in the query (described in Section 2.2 of the OAuth 2.0 Specification)

• client_id as a query parameter that you supply in your request

All endpoints require the Keycloak realm name ProcessMaker IDP configures for your instance. If you do not know your instance's realm name, consult with your Customer Service Manager or ProcessMaker Support.

auth Endpoint

Consider the following base URL example which uses the auth endpoint:

https://{idp-keycloak}/api/realms/{realm}/protocol/openid-connect/auth

token Endpoint

Obtain Keycloak temporary code to subsequently grant access to the IDP instance.

POST https://{idp-keycloak}/api/realms/{realm-name}/protocol/openid-connect/token

Obtain Keycloak temporary code to subsequently grant access to the IDP instance.

POST https://{idp-keycloak}/api/realms/{realm-name}/protocol/openid-connect/token

Use the token endpoint in the base URL to obtain a temporary code from Keycloak in the Authorization Code Flow or to obtain tokens via the Implicit Flow, Direct Grants, or Client Grants.

Path Parameters

Name	Type	Description
client_id*	String	Keycloak client ID. Described in Section 2.2 of the OAuth 2.0 Specification).
grant_type*	String	Grant type to authenticate with Keycloak. By default use password grant type.
username*	String	Username provided by ProcessMaker IDP.
password*	String	Password corresponding with username parameter.

Path Parameters

Name	Type	Description
client_id*	String	UahPzgNf9wYx
grant_type*	String	82BXeyjecKyx
username*	String	Fpwz43Y8GiNT
password*	String	BCvDSDkD1ky9

After receiving the Keycloak token, place it into the header for subsequent requests to your IDP instance with the following key and corresponding value:

• Key: Authorization

• Value: Bearer {Keycloak-token}

Refresh the token with the following POST request in subsequent calls:

POST https://{idp-instance}/token/refresh

userinfo Endpoint

Use the userinfo endpoint in the base URL for the Authorization Code Flow to turn a temporary code into a token:

https://{idp-keycloak}.processmaker.com/api/realms/{realm-name}/protocol/openid-connect/userinfo