OAuth2.0, or Open Authorization, is a standard designed to allow a website or an application to access resources hosted by other web applications. OAuth 2.0 provides access and restricts actions to a client application, without sharing user credentials. OAuth2.0 is an authorization protocol and not an authentication protocol. As such, it is designed to grant access to a set of resources; for example, remote APIs or a user’s data. OAuth2.0 uses access tokens. An access token is a piece of data that represents the authorization to access resources on behalf of a user.

OAuth 2.0 Security

OAuth2.0 is the industry-standard open protocol for authorization. It is a simple and standard method to provide third-party web, mobile, and desktop applications with an access token that authorizes sharing specific account information. As part of the OAuth process, the authorization server validates the credentials and returns a signed access token. You can use the token to make requests to Tenants during the token availability time frame.

Clients authenticate with the Authorization Server in accordance with Section 4.4 of OAuth 2.0 RFC6749.

Use Case for Access Tokens

Access tokens are required by a user or service that wants to access the APIs. A user or service wanting access makes a call to an endpoint, and a valid access token is returned with a successful response. This access token is used to authorize access and use APIs. 

Generating an access token is handled though the UI and a service requests an access token on behalf of the user. Most users are unaware of this endpoint and a service handles communications for the user.

Get an Access Token

You generate and use an access token for API access calls into your Cloud Tenant. Access tokens are valid for one hour and are reusable during the validity period. Access tokens use the JSON Web Tokens (JWT) open industry standard; therefore, decoding them will not show sensitive information. Tokens expire within 59 minutes.

You cannot view or revoke API-generated tokens that have Default API-generated Token Expiration through the UI or REST API. You can follow the steps below once you have an Application Principal created. See creating the service principal.

Generate an Access Token

Application principal token requests require that your application adhere to a standard OAuth2.0 request format. The authentication method you select when creating the service principal determines the method you supply the client credentials in the token request. These application principals are managed by the Application Principal Management API.

Request Examples:

You can use this URL to obtain your tenantId, where tenantName is the name of your tenant.

curl "https://observe-tenant-lookup-api.saas.appdynamics.com/tenants/lookup/{tenantName}.observe.appdynamics.com"

For a client configuration using Basic authentication, the client credentials are sent in the basic authorization header. For example:

curl -X "POST" "https://{tenantName}.observe.appdynamics.com/auth/{tenantId}/default/oauth2/token" \ 
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \ 
-u '{client_id}:{client_secret}' \ 
--data-urlencode "grant_type=client_credentials"

If the client configuration uses Post authentication, the client credentials are sent in the request body. For example:

curl -X "POST" "https://{tenantName}.observe.appdynamics.com/auth/{tenantId}/default/oauth2/token" \ 
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \ 
--data-urlencode "grant_type=client_credentials" \ 
--data-urlencode "client_id={client_id}" \ 
--data-urlencode "client_secret={client_secret}"

Response Examples:

Any method you use to pass the credentials returns a standard OAuth2.0 token response. For example:

{ "access_token": "{JWT accessToken}", "expires_in": 3599, "scope": "introspect_tokens revoke_tokens", "token_type": "bearer" }

You can use the returned access token in requests to permitted APIs in the authorization header as a Bearer type. For example:

curl "https://{tenantName}.observe.appdynamics.com/{someAPI}" \ 
-H 'Authorization: Bearer {accessToken}'

Generate Additional Access Tokens

When an access token expires, another request to generate a new access token is required.

To generate a new access token:

  1. Create a service principal.
  2. Obtain the client and secret from the UI.
  3. Request an access token through an OAuth2 endpoint with the grant_type=client_credentials.

OpenID Connect Discovery Endpoint

The functionality of this endpoint is to fetch and return the OpenID Configuration. A successful response message returns a JSON document with the OpenID Configuration attributes. The OpenID Connect Discovery endpoint returns a list of OAuth/OpenID endpoints, supported scopes, claims, and the public key used to sign the tokens. Clients can use this to understand the OAuth and OpenID supported operations. It's an API as prescribed by OpenID Connect standard.

Use this URL to obtain the current OpenID configuration: 

curl --request GET \
--url https://{host}/auth/{tenantId}/default/.well-known/openid-configuration