Grant types and identity verification

Contributors dmp-netapp

There are several OAuth 2.0 grant types available when requesting an access token to use with Cloud Manager. The grant type is based on the application requirements and authentication environment, and determines how the token is requested.

Tip The refresh token grant is the most secure option when requesting a user access token. It can be used in both a federated and non-federated authentication environment.

Refresh token

This grant type generates a token used with either federated or non-federated authentication. You need to provide the OAuth2-compliant refresh token to the authentication endpoint to generate a long-lived access token. The generated token can be used to access resources across multiple domains. Here is an example of the JSON input used when requesting the token with a description of each parameter.

{
    "grant_type": "refresh_token",
    "refresh_token": "YOUR_REFRESH_TOKEN",
    "client_id": "Mu0V1ywgYteI6w1MbD15fKfVIUrNXGWC"
}
Parameter Description

grant_type

Must be set to "refresh_token".

refresh_token

The refresh token issued by the OAuth2 server.

client_id

The client ID representing NetApp Cloud Manager. This value is constant and the same for all customers.

The OAuth server verifies the Client ID and confirms that the request came from an authorized client. It also makes sure the refresh token is valid. After the request is validated, the server returns a response with the refresh token.

Password

This grant type generates a token used with non-federated authentication to access resources within a single domain. You need to provide the username and password login credentials to the authentication endpoint when requesting the access token. Here’s an example of the JSON input used when requesting the token with a description of each parameter.

{
    "grant_type": "password",
    "username": "YOUR_EMAIL_ADDRESS",
    "password": "YOUR_PASSWORD",
    "audience": "https://api.cloud.netapp.com",
    "client_id": "QC3AgHk6qdbmC7Yyr82ApBwaaJLwRrNO"
}
Parameter Description

grant_type

Must be set to "password".

username

The user’s email address.

password

The user’s password.

audience

The resource identifier.

client_id

The client ID issued when you registered the application.

Client credentials

In some cases, static clients or applications need to acquire an access token to perform operations on behalf of a user. Applications need to obtain an access token for their own service account without user intervention. In these situations you can use the client credentials grant type. Here is an example of the JSON input used when requesting the token with a description of each parameter.

{
    "grant_type": "client_credentials",
    "client_id": "<CLIENT_ID>",
    "client_secret": "<CLIENT_SECRET>"
}
Parameter Description

grant_type

Must be set to "client_credentials".

client_id

The client ID issued when you registered the application.

client_secret

The client secret issued when you registered the application. This should be kept confidential.

The OAuth2 server verifies the application through the client ID with client secret and returns an access token in the response.