{"componentChunkName":"component---src-pages-markdown-remark-fields-slug-js","path":"/engineering/using-m2m-authorization-for-apis-and-apps/","result":{"data":{"markdownRemark":{"id":"c70129fd-4709-5c3c-8cef-506212098a48","excerpt":"There are many use cases of a system where machine-to-machine (M2M) communication is required, or you need to manage access for internal and external APIs. The…","html":"

There are many use cases of a system where machine-to-machine (M2M) communication is required, or you need to manage access for internal and external APIs. The example of M2M communications are:

\n\n

In such cases, the generic authentication methods such as email/password and social login — requiring human intervention — don’t fit well. These interactions also need a secure and easy-to-use authorization process for permission-based data access.

\n

M2M Authorization fulfills both these requirements. Let’s know more about what it is and how it works.

\n

What is M2M Authorization?

\n

M2M Authorization is the process of providing remote systems with secure access to information. Using this process, business systems can communicate autonomously and execute business functions based on predefined authorization.

\n

It is exclusively used for scenarios in which a business system authenticates and authorizes a service rather than a user.

\n

LoginRadius M2M Authorization uses the Client Credentials Grant Flow (defined in OAuth 2.0 RFC 6749), in which the client passes along secure credentials to authenticate themselves and receive an authorization token.

\n

How LoginRadius M2M Authorization Works

\n

Suppose an organization has a microservices environment consisting of multiple services running locally. The organization also has data storage on a different network and requires:

\n\n

As a standard process and security measure, services require authorization while saving and reading the data to and from the storage. The organization can use LoginRadius for autonomous authorization by creating two dedicated M2M apps with write and read permissions.

\n

The following two scenarios explain how you can use LoginRadius M2M Authentication and Authorization to share permission-based access of APIs to any internal or external systems:

\n
\n

Important: M2M App referred to in the scenarios below must be created individually for each internal or external system you want to grant access to. Upon app creation, you receive the Client Id and Client Secret.

\n
\n

Scenario 1: To grant desired access to your LoginRadius Management APIs.

\n

To start using the M2M Authorization for this scenario, you need to create an M2M App and define the desired scope of API(s), as explained here.

\n

\n \n \n

\n\n

Implement M2M Authorization with LoginRadius APIs

\n
    \n
  1. \n

    The client (partner, API, service, etc.) requests the access token using the following API:

    \n

    API endpoint: https://api.loginradius.com/services/oauth/token

    \n

    The following is an example request:

    \n
    POST https://<LoginRadiusAppName>.hub.loginradius.com/service/oauth/token\nContent-Type: application/json\n{\n  "audience": "`https://api.loginradius.com/identity/v2/manage",`\n  "grant_type": "client_credentials",\n  "client_id": "<YOUR_CLIENT_ID>",\n  "client_secret": "<YOUR_CLIENT_SECRET>"\n}
    \n
    2. \n
  2. \n

    LoginRadius Authorization Server validates the request. Upon validation, it returns the JWT access token to the client.

    \n

    The following is an example response with an access token:

    \n
    {\n  "access_token": "eyJz93a...k4laUWw",\n  "token_type": "Bearer",\n  "expires_in": 86400,\n}\n\nJWT Token Details\n{\n  "iss": "https://<LoginRadiusAppName>.hub.loginradius.com/",\n  "sub": "<OAuth APPs APIKey>@client",\n  "jti": "<unique Identifier>"\n  "aud":"`https://api.loginradius.com/identity/v2/manage",  //or https://service.example.com/api/v2`\n  "cid": "<APPConfig APIKey>",\n  "sid": "<LR access Token>"  \n  "exp": 1311281970,\n  "iat": 1311281670,\n  "scp": [\n    "profile:read",\n    "profile:create",\n  ],\n  "gty":"client_credentials"\n}
    \n
    3. \n
  3. \n

    The client can call APIs (as per the defined scope) using the JWT token. APIs will work based on permissions without the use of Client Secret.

    \n
    curl --request GET \\\n  --url `https://api.loginradius.com/identity/v2/manage/account/{uid} \\`\n  --header 'authorization: Bearer eyJhb……….jVZ2w'\n  --header 'X-LoginRadius-ApiKey: {apiKey}
    \n
    4. \n
  4. The respective API(s) will work according to the scope or permission.
    5. \n
\n

Implement M2M Authorization with Business APIs

\n
    \n
  1. \n

    The client (partner, API, service, etc.) requests the access token using the following API:\nAPI endpoint: https://hub.loginradius.com/service/oauth/token

    \n
    POST https://<LoginRadiusAppName>.hub.loginradius.com/service/oauth/token\nContent-Type: application/json\n{\n"audience": "<business API endpoint>",\n"grant_type": "client_credentials",\n"client_id": "<YOUR_CLIENT_ID>",\n"client_secret": "<YOUR_CLIENT_SECRET>"\n}
    \n
    \n

    Note: Where <LoginRadiusAppName> is the name of your LoginRadius App.\nIn response, the client will get an access token.

    \n
    \n
    2. \n
  2. \n

    Use the generated JWT token in the authorization for APIs.

    \n
    curl --request GET \\\n--url < API URL > \\\n--header 'authorization: Bearer eyJh………VZ2w'
    \n
    3. \n
  3. The client will get access to the information as per the defined scope.
    4. \n
\n

LoginRadius M2M Authorization — Benefits

\n

Overall, M2M Authorization offers secure access to improve business efficiency — and ultimately enhances user experience. In detail, the benefits include but are not limited to:

\n\n

Conclusion

\n

M2M Authorization is a secure and reliable method of autonomous interactions. It aids business systems in achieving greater efficiency and eliminates the need for human involvement. It also enables businesses to provide flexible machine-to-machine communication while enforcing granular access, authorization, and security requirements.

\n","headings":[{"value":"What is M2M Authorization?","depth":2},{"value":"How LoginRadius M2M Authorization Works","depth":2},{"value":"Client Credentials Grant Flow","depth":3},{"value":"Implement M2M Authorization with LoginRadius APIs","depth":2},{"value":"Implement M2M Authorization with Business APIs","depth":2},{"value":"LoginRadius M2M Authorization — Benefits","depth":2},{"value":"Conclusion","depth":2}],"fields":{"slug":"/engineering/using-m2m-authorization-for-apis-and-apps/"},"frontmatter":{"metatitle":null,"metadescription":null,"description":"How can you ensure APIs, web services, and business systems communicate and access the information securely without human intervention? The answer is machine-to-machine (M2M) authorization.","title":"M2M Authorization: Authenticate Apps, APIs, and Web Services","canonical":null,"date":"April 29, 2022","updated_date":null,"tags":["M2M","Authorization","Authentication"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/55b15bddf195e3eaa39cb0e655abac95/03979/m2m-authorization-for-apis-apps-and-web-services.png","srcSet":"/static/55b15bddf195e3eaa39cb0e655abac95/f5f11/m2m-authorization-for-apis-apps-and-web-services.png 200w,\n/static/55b15bddf195e3eaa39cb0e655abac95/6d133/m2m-authorization-for-apis-apps-and-web-services.png 400w,\n/static/55b15bddf195e3eaa39cb0e655abac95/03979/m2m-authorization-for-apis-apps-and-web-services.png 800w,\n/static/55b15bddf195e3eaa39cb0e655abac95/aca38/m2m-authorization-for-apis-apps-and-web-services.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kundan Singh","github":null,"bio":"Director of Product Development @ LoginRadius.","avatar":null}}}},"pageContext":{"id":"c70129fd-4709-5c3c-8cef-506212098a48","fields__slug":"/engineering/using-m2m-authorization-for-apis-and-apps/","__params":{"fields__slug":"engineering"}}},"staticQueryHashes":["1171199041","1384082988","1711371485","1753898100","2100481360","229320306","23180105","528864852"]}