API Authentication Service
Authentication
Your Express for Energy Data Insights uses Amazon Cognito for Authentication and Authorization. The process begins by passing in your credentials and authorization tokens are generated for you to use in all your subsequent requests.
Authenticate using Express for Energy Data Insights Portal
You can use your username and password to log into your EDI Data Platform Portal.
When you are logged in, you can obtain the
access token needed to initiate OSDU® Data Platform API calls from the
Portal. When logged into the Portal, click on arrow in upper right of
screen next to user name and select "Copy Token". This will copy a
string of format bearer <ACCESS_TOKEN> onto your clipboard. You can
use this string directly in the authorization headers of Data Platform
API calls, or you can strip the leading "bearer " to set the
ACCESS_TOKEN environment variable used in the scripts in the next
section and the API usage examples elsewhere within this User Guide.
export ACCESS_TOKEN='<paste-token-here-inside-single-quotes>'
# do not include leading "bearer " authentication type inside single quotes
Authenticate Using Command Line or Programatically
In certain cases, you may need to generate tokens using your credentials in an automated fashion.
To use this method, you will need the application client information
(APP_CLIENT_ID, APP_CLIENT_SECRET) and Amazon Cognito User Pool ID for
your subscription. You can obtain these by creating a support ticket
using Express for Energy Data Insights Support.
The first step is to generate tokens from Amazon Cognito. The Amazon Cognito
endpoint InitiateAuth takes your user credentials and app client
credentials and returns tokens that are used in subsequent steps.
Learn more: Cognito InitiateAuth.
The pre-step to authenticating is to generate a SECRET_HASH value.
The secret hash is generated using your username together with the
application client id and application client secret used in your
Energy Data Insights subscription.
export COGNITO_USER_NAME="your username"
export APP_CLIENT_ID="your subscription's app client id"
export APP_CLIENT_SECRET="your subscription's app client secret"
echo -n ${COGNITO_USER_NAME}${APP_CLIENT_ID} | openssl dgst -sha256 -hmac ${APP_CLIENT_SECRET} -binary | base64
You should create an initiate.json file to use. In this example, it
is in a config sub-directory. Ensure the values match your
information.
{
"AuthParameters" : {
"USERNAME" : "YourUser",
"PASSWORD" : "YourPassword",
"SECRET_HASH":"Computed Base64 Hash Value"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "Cognito app client ID",
"UserPoolId": "Cognito user pool ID"
}
Send the authentication request payload to the Amazon Cognito endpoint for the AWS Region where your Express for Energy Data Insights subscription is deployed:
export AWS_REGION=us-east-1
curl -X POST -H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' -H 'Content-Type: application/x-amz-json-1.1' \
-d @config/initiate.json \
https://cognito-idp.${AWS_REGION}.amazonaws.com > initiateAuth-response.json
This will populate the file initiateAuth-response.json with this formation and similar content:
{
"AuthenticationResult": {
"AccessToken": "abcxyz",
"ExpiresIn": 1800,
"IdToken": "defuvw",
"RefreshToken": "ghijkl",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
In the subsequent data platform API calls, the AccessToken will be used
within the authorization header.
You can set an environment variable that can be used to construct the authorization header required for HTTP requests:
export ACCESS_TOKEN=`cat initiateAuth-response.json |jq '.AuthenticationResult.AccessToken' | sed 's/"//g'`
The script auth.sh, shown below, can also be used to set the
envrionment variable in a more automated manner if desired:
#!/bin/bash
curl -X POST --data @config/initiate.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-1.amazonaws.com > initiateAuth-response.json
unset ACCESS_TOKEN
export ACCESS_TOKEN=`cat initiateAuth-response.json |jq '.AuthenticationResult.AccessToken' | sed 's/"//g'`
Refesh Authentication Tokens
Once authenticated, tokens typically last for 60 minutes. Once they
expire, they can be refreshed for typically up to 30 days. To obtain
refreshed tokens, you can call the same initiateAuth endpoint,
providing user authentication information including the
REFRESH_TOKEN that was returned by the initial authentication
process. The same mechanism demonstrated in this refresh.sh script can
be used in your own scripts and services prior to calling data
platform endpoints, to be sure the tokens are up to date and current.
Obtain Refresh Token from Initial Authentication Response
#!/bin/bash
unset REFRESH_TOKEN
export REFRESH_TOKEN=`cat initiateAuth-response.json |jq '.AuthenticationResult.RefreshToken' | sed 's/"//g'`
Create Body for Refresh Request
{
"AuthParameters" : {
"REFRESH_TOKEN" : "Refresh Token generated during original authentication, now in ${REFRESH_TOKEN}",
"SECRET_HASH": "Computed Base64 Hash Value"
},
"AuthFlow" : "REFRESH_TOKEN_AUTH",
"ClientId" : "Your Cognito ClientId",
"UserPoolId": "Your Cognito UserPoolId"
}
Invoke Refresh Request and Obtain New Access Token
#!/bin/bash
curl -s -X POST --data @config/refresh.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-1.amazonaws.com > initiateAuth-refresh.json
unset ACCESS_TOKEN
export ACCESS_TOKEN=`cat initiateAuth-refresh.json |jq '.AuthenticationResult.AccessToken' | sed 's/"//g'`