Introduction

Authentication on the platform Unico IDCloud uses the protocol OAuth2, in the model Two-Legged OAuth (2LO).

  • Is done through a service account, linked to the application (not to a user).

  • The application calls Unico's APIs on behalf of the service account.

  • Ideal scenario for server-to-server interactions.

Service Account Request

To create the service account, send to your company's project manager:

  • Name of the service account to be created (up to 12 characters);

  • Name, email and mobile phone of the person responsible for the service account.

Homologation and Production require separate accounts.

After submitting the data the service account will be created and you will receive an email to generate the private key (.PEM). The service account includes:

  • Unique account name.

  • Tenant ID (company identifier).

  • The base payload to build the JWT

  • Private key (.PEM) - the browser will automatically download it at the end of the service account generation, and it will be available in your computer's downloads folder.

💡Check your SPAM folder if you cannot find the email to generate the service account.

If you need the public key, request it from the project manager or generate it via OpenSSL:

Authentication Flow

Your application must follow 4 steps:

  1. Create the JWT (header + payload + signature).

  2. Request the access token (access-token) on the authentication platform.

  3. Handle the response (store and use the access-token in API calls).

  4. Validity of the access token.

1. Creating the JWT

Note: jwt.io can be used to visualize JWT content for learning or debugging. It should not be used as part of production workflows

1.1 Structure

A JWT has 3 parts concatenated by .:

1.2 Header

Base64url:

1.3 Payload

Field
Description

iss

Identifier of the service account (Service Account). The pattern is: account name + @ + Tenant ID + iam.acesso.io. (ex: "service_account_name@tenant_id.iam.acesso.io").

scope

Requested permissions. Use "*" for all.

aud

Always https://identityhomolog.acesso.io (⚠️ no trailing slash and always with HTTPS).

iat

Time of JWT issuance, in seconds (in Unix Timestamp format).

exp

Token expiration in seconds (max. +3600s in relation to the iat). This value cannot be fixed and has a maximum time of 1 hour after the JWT issuance time.

Example calculation:

1.4 Signature

  • Algorithm: RS256 (RSA + SHA-256).

  • Input: {Header Base64url}.{Payload Base64url}.

  • Signature made with the private key (.key.pem).

  • Final result:

Below is an example of a JWT token before Base64url encoding:

2. Requesting the Access Token

Send the signed JWT to the platform:

POST Endpoint:

  • UAT: https://identityhomolog.acesso.io/oauth2/token;

  • PROD: https://identity.acesso.io/oauth2/token.

Headers:

Body:

Name
Description

grant_type

Use the following text, URL-encoded if necessary: urn:ietf:params:oauth:grant-type:jwt-bearer.

assertion

The JWT, including the signature.

Request example:

3. Handling the Response

Example response from the platform:

  • Use the access_token in all calls to Unico's APIs.

  • If an error is returned, validate:

    • JWT properly formed.

    • Time set in the iat and exp;

    • Service account with necessary permissions.

4. Validity of the Access Token

  • The time is reported in expires_in (seconds).

  • Default: 3600s (1 hour).

  • Renew the token when there are 10 minutes left to expire.

Examples:

A new access token can be requested when there are 10 minutes left to expire.

  • ¹ According to RFC 4648 on BaseN encoding, the Base64url format is similar to Base64 format, except for the character = which must be omitted, and the characters + and / which must be replaced by - and _, respectively.

  • ² JSON Web Signature: https://tools.ietf.org/html/rfc7515.

PreviousAuthenticationNextAPI Reference

Last updated