Authentication
Access to almost all endpoint of the various Technology Adapter APIs are secured with access tokens. The tokens are generally bound to individual TRUMPF Accounts and are issued by https://identity.trumpf.com. Identity.trumpf.com implements the OpenID Connect protocol, which provides different ways to retrieve tokens depending on the type of the client application.
Just like the identity tokens specified by OpenID Connect (which are not relevant for the API), we use JWT-style tokens. One consequence of this is that the token content can be read with 3rdparty tools such as https://jwt.io for debugging (such as checking its expiration time). But note that the use of JWTs for the access tokens is nothing you should depend on. Be sure to pass tokens only to trusted applications, especially as long as the token is valid.
The use of OpenID Connect and JWT-based access tokens enforces a strict separation between this API and the authentication processes for signing up and log-in.
Passing access tokens to the API
When calling an endpoint of the API, an access token has to be passed in the 'Authorization' header of the request:
Authorization: Bearer <Token>Retrieving access tokens
An application that wants to access the Technology Adapter API has to request as access token from identity.trumpf.com using a so-called 'Client ID', where the term 'client' refers to the client application, not the user of the application. Every application has an individual client id. Currently client ids are issued by us upon request - if you want one to develop a new application, please get in touch with us.
In the meantime you have several other options to get a token to use with the Technology Adapter API:
-
Get a token from another application
-
Call the authorization endpoint of the identity server manually
Get a token from another application
You can extract a token from your browser when accessing a single-page web application such as https://easyprogramming.cloud or simply the OpenAPI-based documentation referenced in this site, which is technically also a (very generic) Technology Adapter client. Requests to Technology Adapter endpoints below https://ta.api.trumpf.com/ will be sent with an access token in the Authorization header of the request. Therefore you can locate an approriate request in the developer console of your browser and use that token for your own requests.
Call the authorization endpoint of the identity server manually
You can use the Client ID of a public single page application using the implicit flow such as the generated API docs to call the authorization endpoint manually. This will lead you to the login page (unless you are already logged in) and it will finally redirect you to the the callback URL of the application.
You can try it with this link:
The access token will be appended to the fragment identifier (following the hash character) of the callback URL. Normally it will be removed instantly by the application, but in this case the login will not succeed and the access token will be visible in the address bar of the browser because the request was not triggered by the UI itself:
|
In a real application, the endpoint which handles the callback URL should be implemented using an OIDC-compliant library - those libraries will take care of many non-obvious security details. We also recommend using the OpenID Connect Discovery if available, which will use the Issuer URL to get a json file that lists different endpoints for signin, logout, userinfo and more, so you do not have to provide these details yourself. Be aware that this mechansim cannot be used freely for Single Page Applications at the moment, since access to the discovery document (https://identity.trumpf.com/oauth2/token/.well-known/openid-configuration) is restricted by CORS rules at the moment. |
The TRUMPF identity server supports different standard OAuth2/OpenID Connect flows beyond the basic "Implicit Flow" used above. Which one is most appropriate depends on the type of your application. This has to be decided when creating an OpendID Connect client ID.