Service apps are designed to operate without user interaction (sometimes called two-legged OAuth) in order to access web-hosted resourced by using the identity of an application. Services run on a server where the source code or configuration of the application is not available to the public. This allows the use of a client secret when communicating with the authorization server to help improve security.
NOTE: Your client credentials carry many privileges, so be sure to keep them secure!
- Do not put your client credential information (clientid, client secret or access tokens) in publicly accessible code where they can be discovered.
- Store them in a safe place on the backend (server).
The service app type does not represent any user or organization and does not have access to anything by default. If you want to provide access to projects for that application, you need to invite it to the projects using client email, provided in App details page.
To connect to a SYNCHRO 4D project schedule the service application client email must be added to the project in SYNCHRO Control: https://construction.bentley.com:
Select the SYNCHRO 4D project > Administration > Manage your team > Add users > Add user provided from Service app
The Service app user must be provided with a Role that has the appropriate read/write permissions for the commands you would like it to perform.
Client Credential Flow
The Client Credential flow provides the ability for a web service (confidential client) to use it's own credentials, instead of impersonating a user, to authenticate when calling a web service. Permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there is no user involved in the authentication.
These are the steps that the Client Credential flow executes:
- Redirect the web server to the authorization server endpoint with Client ID and Client Secret
- Authorization server validates the Client ID and Client Secret and returns Access Token
- Client uses the access token to call the API
The following steps outline how to implement the authorization code flow in your application:
- Redirect the web server to the authorization server endpoint with Client ID and Client Secret
In order to initiate the client credential flow, you need to call Bentley's token endpoint: https://ims.bentley.com/connect/token
The URL requires the following parameters:
-
- grant_type=client_credentials: Must be set to client_credentials
- client_id=<insert_your_client_id_here>: Provide the client ID of your application.
- client_secret=<insert_your_client_secret_here>: Provide the client secret that was provided when you registered your app. The client secret must be url-encoded before being sent.
- scope=<insert_scopes_of_API_here>: Include the scopes for the API, which are the permissions to request the end users consent for. For each API, you can find the required scopes in the additional API specific documentation.
- Authorization server validates the Client ID and Client Secret and returns Access Token
This step will be performed by Bentley's authorization server and does not require anything to be implemented in your application. A successful response will include an access token.
- App uses the access token to call the API
You can now use the access token to call the API as long as it is not expired. Add the provided token to the Authorization header of your API request, using Bearer scheme.
curl https://ims.bentley.com/connect/token -X POST --data-urlencode grant_type=client_credentials --data-urlencode client_id=<client_id> --data-urlencode client_secret=<client_secret> --data-urlencode scope=<scope>