Authenticate APIs with OAuth

Medallia Experience Cloud security framework uses OAuth 2.0 for authenticating access to data. Applications that access the Experience Cloud APIs are OAuth clients. Each OAuth client receives these credentials:

  • Client ID — Unique identifier for the client, and passed to the server as the clientId parameter when authenticating with the authorization server.

  • Client Secret — Pre-authenticated identification associated with the client, and passed to the server as the clientSecret parameter when authenticating with the authorization server.

  • OAuth Token Endpoint (API endpoint) — URL to the OAuth server's token-endpoint for the company; where applications request tokens. It will have this format similar to this: https://instance.medallia.com/oauth/companyName/token.

Important: Contact your Medallia expert to get access to an instance and to get your the client credentials. Your expert will:

  • Enable API access for the instance, if it is not already enabled.

  • Create application and OAuth accounts for your application, and provide the:

    • Client ID.

    • Client secret.

    • OAuth endpoint.

Applications pass the client ID and secret to the OAuth token endpoint in return for an access (bearer) token, which is used when requesting resources from the resource server.

Application passes clientId and clientSecret to token endpoint to get the access (bearer) token, which is then used when requesting resources

Request OAuth authorization (Client credentials)

Applications request authorization for access to a company from the company's OAuth token endpoint, which is a URL in this format: https://instance.medallia.com/oauth/companyName/token. For example, https://queryapidemo.demo.sc4.medallia.com/oauth/myCompany/token.

When requesting the token, pass in the client ID and secret values as username and password arguments when making the request.

cURL example

For curl, use this template: 

curl <TOKEN_URL> -X POST -u 'CLIENT_ID:CLIENT_SECRET' -d grant_type=client_credentials

For example, in this curl invocation the Client ID and Client secret are querydemo and query12345:

curl https://queryapidemo.demo.sc4.medallia.com/oauth/fs/token -X POST -u 'querydemo:query12345' -d grant_type=client_credentials

Alternatively, you can use this template to specify each value as a data element:

curl <TOKEN_URL> -X POST -d client_id=CLIENT_ID -d client_secret=CLIENT_SECRET -d grant_type=client_credentials

In which case the example looks like this:

curl https://queryapidemo.demo.sc4.medallia.com/oauth/fs/token -X POST -d client_id=querydemo -d client_secret=query12345' -d grant_type=client_credentials
Note: The second example is more versatile, but is not supported by all curl implementations.

Java client example

This Java example uses the Google OAuth client to pass client ID (key) and secret to the endpoint to request a bearer token. The Client ID and Client secret are querydemo and query12345:

  1. Add Google Gradle dependencies to your build.gradle project file:

    compile 'com.google.oauth-client:google-oauth-client:1.23.0'
compile 'com.google.http-client:google-http-client-jackson2:1.23.0'

  2. Obtain an access token by authenticating to the corresponding token endpoint:

    import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientCredentialsTokenRequest;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;

import java.io.IOException;

public class SampleApplication {

    public static void main(String[] args) throws IOException {
        String accessToken = getAccessToken("https://queryapidemo.demo.sc4.medallia.com/oauth/fs/token", 
                                            "querydemo", "query12345");
        System.out.println("Access token: " + accessToken);
    }

    private static String getAccessToken(String tokenUrl, String clientId, String clientSecret) throws IOException {
    TokenResponse response =
       new ClientCredentialsTokenRequest(
           new NetHttpTransport(),
           new JacksonFactory(),
           new GenericUrl(tokenUrl))
           .setGrantType("client_credentials")
           .setClientAuthentication(
           new ClientParametersAuthentication(
               clientId, clientSecret))
           .execute();

    return response.getAccessToken();

}
    Once you have obtained an access token, you can use it to request resources. For more information, see Make an API call using the access (bearer) token.

Authorization code flow

Some Medallia Experience Cloud APIs require a token that must be requested using the Authorization code Grant and requesting an OpenID token. The Authorization Code Flow involves exchanging an authorization code for a token. For more information see section 4.1 of the OAuth 2.0 authorization framework.

Experience Cloud uses this grant type to obtain both an access token and an ID token.

This is a redirection based grant, redirect URIs must be configured manually. This URI will be used when requesting a code to exchange for a token.

Diagram showing Authorization Grant Flow, where the application must be capable of interacting with the user agent and receiving API authorization codes routed through the user agent

Request OAuth authorization (Authorization code grant)

Applications request authorization for access to a company from the company's OAuth authorization endpoint, which is a URL in this format: https://instance.medallia.com/oauth/companyName/authorize.

For example, https://queryapidemo.demo.sc4.medallia.com/oauth/myCompany/authorize.

Follow the steps below to receive both the access token and the ID token.

  1. Request an authorization code to the OAuth Authorization endpoint.

    1. Log in to the instance.

    2. Use the OAuth Authorization endpoint to request the code. Use this template to construct the request URL:

      https://<OAuth-authorization-endpoint>/?client_id=<client_id>&response_type=code&redirect_uri=<redirect-URI-for-client>&state=295

      The authorization code is returned in the URL:

      https://<redirect-URI-for-client>?state=295&code=<code>&session_state=<session>
      Tip: The issued code is valid even if your browser shows an HTTP 404 code (page not found) error.
      Restriction: The issued code can only be used once. Do not refresh your browser to get a new code: once you have the request URL, click it again or copy it and paste it on your browser's address bar to obtain a new authorization code.

  2. Exchange this code for the tokens using the OAuth Token Endpoint:

    To know this endpoint, in Setup, go to the Integrations > OAuth > Configuration tab and check the OAuth Token Endpoint.

    For cURL, use this template:

    curl \
  -d client_id="<client_id>" \
  -d client_secret="<client_secret>" \
  -d grant_type="authorization_code" \
  -d code="<code>" \
  -d redirectURI="<https://<redirect-URI-for-client>?" \
  https://<OAuth-token-endpoint>

    The response looks like this:

    {"access_token":"<access-token>","token_type":"Bearer","expires_in":3600,"scope":"refreshToken openid email profile phone address","refresh_token":"<refresh-token>","id_token":"<JWT-id-token>"}

For information on how to use these tokens, see Use the access token and ID token.