How can I use the OAuth 2.0 Client Credentials grant type to access the OSDU API?

The Client Credentials grant type is typically used for machine to machine access, and doesn’t represent a specific user. There can be multiple service identities. One is created by default with your OSDU instance. The default service identity has admin permissions, and is authorized to access all OSDU Data Platform service endpoints and actions. This article describes how to obtain OSDU credentials using this default service identity.The API’s are accessed in the standard way, except that the access token is first retrieved using a Client ID and Client Secret, instead of the username and password credentials. The token is retrieved from the Cognito instance’s Token endpoint.
Follow the steps below to retrieve the Cognito endpoint URL, and the credentials.
Token endpoint URL
  • Navigate to the AWS Systems Manager console.
  • Click on Parameter Store.
  • Search for the parameter containing oauth-token-uri .
  • Replace the placeholder text in the snippet below with the parameter value and execute in a terminal.
export TOKEN_URI=enter_value_here
Client ID
  • On the Parameter Store page, search for the parameter containing client-credentials-client-id.
  • Enter the value in the snippet below and execute the command.
export APP_CLIENT_ID=enter_value_here
Client Secret
  • Navigate to the AWS Secrets Manager.
  • Search for the entry containing the text client_credentials_secret. Click the entry link, to view the detail page.
  • In the section ‘Secret value’, click the button called ‘Retrieve secret value’. Copy the value into the snippet below and execute the following two commands. The second command formats the credentials in Basic Access Authentication format, which is Base64Encode(client_id:client_secret).
export APP_CLIENT_SECRET=enter_value_here
export BASE64_CREDENTIALS=$(echo -n "$APP_CLIENT_ID:$APP_CLIENT_SECRET"|openssl base64 -A)


Get Access Token

  • Execute the following command to retrieve an access token.
 -H "authorization: Basic $BASE64_CREDENTIALS" \
 -H 'content-type: application/x-www-form-urlencoded' \
 -d 'grant_type=client_credentials'
Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk