Authenticating APIs with OAuth
Medallia Experience Cloud security framework uses OAuth 2.0 for authenticating access to data. Applications that access the Experience Cloud APIs are OAuth clients. Each OAuth client receives these credentials:
-
Client ID — Unique identifier for the client, and passed to the server as the
clientId
parameter when authenticating with the authorization server. -
Client Secret — Pre-authenticated identification associated with the client, and passed to the server as the
clientSecret
parameter when authenticating with the authorization server. -
OAuth Token Endpoint (API endpoint) — URL to the OAuth server's token-endpoint for the company; where applications request tokens. It will have this format similar to this:
https://instance.medallia.com/oauth/companyName/token
.
-
Enable API access for the instance, if it is not already enabled.
-
Create application and OAuth accounts for your application, and provide the:
-
Client ID.
-
Client secret.
-
OAuth endpoint.
-
Applications pass the client ID and secret to the OAuth token endpoint in return for an access (bearer) token, which is used when requesting resources from the resource server.
Requesting OAuth authorization (getting a token)
Applications request authorization for access to a company from the company's OAuth authorization endpoint, which is a URL in this format: https://instance.medallia.com/oauth/companyName/token
. For example, https://queryapidemo.demo.sc4.medallia.com/oauth/myCompany/token
.
When requesting the token, pass in the client ID and secret values as username and password arguments when making the request.
cURL example
For curl, use this template:
curl <TOKEN_URL> -X POST -u 'CLIENT_ID:CLIENT_SECRET' -d grant_type=client_credentials
For example, in this curl invocation the Client ID and Client secret are querydemo and query12345:
curl https://queryapidemo.demo.sc4.medallia.com/oauth/fs/token -X POST -u 'querydemo:query12345' -d grant_type=client_credentials
Alternatively, you can use this template to specify each value as a data element:
curl <TOKEN_URL> -X POST -d client_id=CLIENT_ID -d client_secret=CLIENT_SECRET -d grant_type=client_credentials
In which case the example looks like this:
curl https://queryapidemo.demo.sc4.medallia.com/oauth/fs/token -X POST -d client_id=querydemo -d client_secret=query12345' -d grant_type=client_credentials
Java client example
This Java example uses the Google OAuth client to pass client ID (key) and secret to the endpoint to request a bearer token. The Client ID and Client secret are querydemo and query12345:
-
Add Google Gradle dependencies to your
build.gradle
project file:compile 'com.google.oauth-client:google-oauth-client:1.23.0' compile 'com.google.http-client:google-http-client-jackson2:1.23.0'
-
Obtain an access token by authenticating to the corresponding token endpoint:
Once you have obtained an access token, you can use it to request resources. For more information, see Making an API call using the access (bearer) token.import com.google.api.client.auth.oauth2.BearerToken; import com.google.api.client.auth.oauth2.ClientCredentialsTokenRequest; import com.google.api.client.auth.oauth2.ClientParametersAuthentication; import com.google.api.client.auth.oauth2.Credential; import com.google.api.client.auth.oauth2.TokenResponse; import com.google.api.client.http.GenericUrl; import com.google.api.client.http.HttpRequestFactory; import com.google.api.client.http.HttpResponse; import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import java.io.IOException; public class SampleApplication { public static void main(String[] args) throws IOException { String accessToken = getAccessToken("https://queryapidemo.demo.sc4.medallia.com/oauth/fs/token", "querydemo", "query12345"); System.out.println("Access token: " + accessToken); } private static String getAccessToken(String tokenUrl, String clientId, String clientSecret) throws IOException { TokenResponse response = new ClientCredentialsTokenRequest( new NetHttpTransport(), new JacksonFactory(), new GenericUrl(tokenUrl)) .setGrantType("client_credentials") .setClientAuthentication( new ClientParametersAuthentication( clientId, clientSecret)) .execute(); return response.getAccessToken(); }