Authorization - HackMD

--- title: "Authorization" order: d1 --- ## Global UPC Global UPC currently supports JWT Bearer Grant (https://datatracker.ietf.org/doc/html/rfc7523) for service to service auth and Authorization Code Grant (https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.1) to auth on behalf of a user. ### JWT Bearer Grant #### Prerequisites In order to use the JWT Bearer Grant flow with Global UPC, Global UPC must be provided with public keys that can be used to validate the incoming JWTs. To provide these public keys, we use either the `jwks_uri` property or the `jwks` property during [DCR](../dcr/). While either can be used, both __cannot__ be used at the same time. It is highly recommended that `jwks_uri` is used, as that means the keys provided do not have to be static and can be rotated. For more information, see: https://ghe.megaleo.com/identity/admiral/blob/29810fa7fe30ffd6152521cd906f28ad4c1cfcf9/admiral/src/main/kotlin/com/workday/upc/admiral/io/ClientMetadata.kt#L146-L173. #### High level flow 1. Your application authors a JWT signed by your application's private key which was generated during registration to the DCR endpoint. 2. Your application makes an API call global UPC to obtain tokens 3. These tokens can be used to make authenticated requests. #### Usage When calling the `/token` endpoint with the JWT Bearer flow: The token request should include: - `grant_type` is `urn:ietf:params:oauth:grant-type:jwt-bearer` - `assertion` field which is a jwt with the following claims | claim | type | notes | | -------- | -------- | -------- | | iss | string | must contain the client id obtained from DCR | | sub | string | must contain the client id obtained from DCR | | exp | [numeric date](https://www.rfc-editor.org/rfc/rfc7519#section-2) | must contain expiration time that limits the time window during which the JWT can be used. | | keyId | string | must contain keyId registered during DCR | ### Authorization Code Grant #### Prerequisites In order to use Authorization Code Grant flow, a client must be registered with Global UPC via [DCR](../dcr/). #### High level flow 1. Your application directs the browser to the global upc authorization endpoint. The parameters for the redirect are obtained from registering yoru client via DCR. 2. The user authenticates to Global UPC. 3. The user is redirected back to your application with an authorization code from Global UPC. 4. Your application makes a backchannel request to global UPC using this code along with the client secret to exchange the code for tokens. 5. Global UPC will then return tokens which can be used by your app to make requests on behalf of the user.