Authentication API for service-service token

I want to get a service-service token(per Mitel account) and then use the same to call the subsequent APIs. Which API call is best for it? " cloudlink-user-authorizer" or " cloudlink-client-authorizer" ?

1 Like

While you can’t get an account level token, you can create a ‘client’ in the account that represents your app and then use it to get tokens the same way you can for a user. The way you would do this is:

  1. Create a Client using the Admin API. In the request body (JSON):
    a. Role can be USER or ACCOUNT_ADMIN, depending on what your app needs to do.
    b. Type should be ‘APP’
    c. ClientID can be specified, otherwise one is generated for you.
  1. Request a token with the same Auth API path that you’d use for a user token (POST /token). In the request body (x-www-form-urlencoded):
    a. grant_type = “client_credentials”
    b. client_id = {created in step 1}
    c. client_secret = {included in the response body in step 1}
    d. account_id = {The relevant CL Account number}

Let me know if that gets you what you need!

So do we have to add such a user for each account?

This all really depends on what you’re trying to do, exactly. Can you offer any details? In CloudLink you have two account levels you can work with:

Partner Account
→ Account 1
→ Account 2
→ etc…

If you create a Client in a ‘customer’ account, the highest role you can give it is “ACCOUNT_ADMIN” and it will only be able to run operations within that account.

If you create a Client in your partner account and give it a role of “PARTNER_ADMIN”, it can run operations in your partner account and any of the accounts within. If you instead give it a role of “ACCOUNT_ADMIN”, then it will be able to run operations in your partner account but not any of the accounts within.

As a best practice, you should make sure that you’re only giving that Client a role that grants the minimum required access required to do it’s job and nothing more.

The intent is to create an App with a clientId-secret in my account and use the same App outside my account to get customer account users information by authenticating on behalf of customers using OAuth. Is this capability supported?

The intent is to create an App with a clientId-secret in my account and use the same App outside my account to get customer account users information by authenticating on behalf of customers using OAuth. Is this capability supported?

Essentially, yes. Create the Client in your account with a role of PARTNER_ADMIN, then use it to obtain your token as outlined above. When you hit GET /accounts/{accountID}/users, it will return all users in the designated account.

You can also use the Assume Role Feature which can help prevent any unintended or accidental changes by assuming a more limited role within the desired account. You just provide the account and role, then it returns a token and refresh_token you can use for subsequent calls which limits you to the capabilities of that role in that account.

Great!! Thanks a lot for the clarification Budd. I will dig deep into it.