Authorization
At BOUYGUES TELECOM ENTREPRISES, API security is achieved using the OAuth2 protocol with “App_credentials with certificate”: like the classic Credential clients with the addition of a set of public/private keys for enhanced security.
APP CREDENTIALS WITH CERTIFICATE
(OAUTH2 Client Credentials grant + signed JWT)
Step-by-step instructions
Regarding this authentication FLOW, when registering your APPLICATION you will be asked to provide us with a PUBLIC KEY to authenticate the ACCESS TOKEN retrieval call by said APPLICATION.
1. Get ACCESS TOKEN
With this flow, your application will need to retrieve an ACCESS TOKEN in JWT format from the Bouygues Telecom authorization server (/token endpoint).
The necessary parameters must be entered in the body of the request (Content-type = application/x-www-formurlencoded).
EXAMPLE (curl) “Requesting an ACCESS TOKEN”:
curl --request POST 'https://mon-compte.bouyguestelecom-entreprises.fr/realms/entreprise/protocol/openid-connect/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'client_assertion_type= urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
--data-urlencode 'client_assertion=<JWT Assertion: see below>'Example of a valid JWT assertion payload:
{ "iss": "app-cc-jwt", "sub": "app-cc-jwt", "aud": "https://mon-compte.bouyguestelecom-entreprises.fr/realms/entreprise", "iat": 1642690624, "exp": 1642695012, "jti": "123456789" }Output example:
{ "access_token": "eyJhbGciOiJSUzI1N ... jXVt7AVOWGpkGcm5fIF7Ph8vDeLBuLLYZxdap_PKX12QBoo6tzHYeB3SYxVlx9hSNnEuq0A", "expires_in": 300, "refresh_expires_in": 0, "token_type": "Bearer", "not-before-policy": 0, "scope": "ENT_ContractServicesManage ENT_ContractServicesConsult" }Here is the detailed body content:
| Key | Value | Mandatory | Comment |
|---|---|---|---|
| grant_type | client_credentials | yes | |
| client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer | yes | |
| client_assertion | see below | yes | JWT format, signed with your private key |
Details about the assertion JWT header:
| Claim | Value | Comment |
|---|---|---|
| kid | apim-provisioner | Fixed value |
| alg | RS256 | Algorithm signature: Fixed value |
| use | sig | Fixed value |
| typ | JWT | Fixed value |
Details about the assertion JWT payload:
| Claim | Value |
|---|---|
| iss | your consumer key |
| sub | your consumer key (again) |
| aud | Bouygues Telecom Authorisation server URL (/token endpoint) see details below |
| iat | Creation date of this assertion (RFC3339 based timestamp) |
| exp | Expiration date of this assertion (RFC3339 based timestamp) |
| jti | Unic ID of this assertion |
NOTE: Our authorisation server will first validate your assertion signature using the PUBLIC KEY that you provided during your application registration.
2/ API CALL
Using the ACCESS TOKEN as a “BEARER” parameter, your application can then access the APIs designated during your application registration.
(curl) example:
NOTE: Be mindful of the single space between “bearer” and the token value.
curl "https://open.api.bouyguestelecom-entreprises.fr /v1/customer-management/bflex-users"
-H "Authorization: Bearer at-ff0d74ff-4f72-42a5-a3ee-1a070c9929b8…