Figure 2. The M2M Runtime Flow
The Customer API Application performs automatic runtime actions (without user/admin) as shown in Figure 2:
- API application running on customer server logs into customer IdP with client Id and secret following OAuth2 client credentials grant flow.
- On successful authentication, customer IdP responds with an access token.
- API application sends the API application identity and customer IdP access token to Cirrus to invoke PowerX services/operations.
- Cirrus sends the API application identity and customer IdP access token to Common IAM Pacific Service to exchange external customer IdP access token for a PowerX access token.
- The Common IAM Pacific Service first decodes the external customer IdP token, validates the registration, and tries to validate the external token using the customer IdP metadata url, downloads the certificate and verifies the token signature.
- On successful validation of the external token, the Common IAM Pacific Service responds to Cirrus, the new PowerX access token along with authZ claims.
- Finally, this new token is used by Cirrus to access PowerX Resources and Services.