0

I'm just getting started with the Admin API. I'm started out by using Postman to engage with the admin api. I've included my post request and response. Am I suppose to authenticate first as I do with the Consumer API. From the docs, it seems like the Admin API uses a different way of authentication with public and private keys.

Note: I was able to successfully generate a token using your provided command line example. npx @jkhy/banno-client-creds-helper client-assertion --client-id=[CLIENT-ID] --private-key=private.pem

Would it be possible to provide an example Postman setup or even create a Postman Collection for your APIs? A curl example would work too.

Post Request and Post Response

Any help would be greatly appreciated.

Thank you, Jason

Jason Cain
  • 1
  • 1

1 Answers1

0

I'm hoping that these things are true, to help set a baseline of understanding of what you have configured:

  • You're following along with the Admin API's Authentication quickstart
  • Your External Application was created in the Users & Groups part of Banno's back office
  • That External Application is configured with the Service account type

I think the above is true, given that you mention using the @jkhy/banno-client-creds-helper tool to successfully get an Access Token from the Admin API. (You do indeed need to authenticate with the Admin API and get an Access Token any time you want to use its API endpoints.)

If the above is true, then you're configured to use the Client Credentials OAuth flow. The Client Credentials flow differs quite a bit from the way that the Authorization Code flow works for the Consumer API in that the Client Credentials flow uses a 'Signed JWT' to obtain an Access Token.

The structure of the JWT is described in https://jackhenry.dev/open-api-docs/admin-api/overview/authentication/clientcredentialsflow/. Notably the sub and iss portions of the JWT are where you pass in the Client ID, so you don't need the client_id part of the request as you showed in the screenshot.

The JWT is signed with the private key from the public key + private key pair. This is the trickiest part of the entire process. If you take a look at the client-assertion.js file from the @jkhy/banno-client-creds-helper, that's where the signing magic happens.

I'm not familiar with how to do that sort of JWT signing in Postman, unfortunately.

Jaime Lopez Jr.
  • 476
  • 1
  • 3
  • 9
  • @Jamie Can you provide an example for doing this in a cURL command per the original question, in Windows? Ultimately we need to be able to utilize the Admin API in our RPA platform and I'm not sure that we'll be able to use your scripts to facilitate the auth and token requests. – James Jun 13 '22 at 20:38
  • Do you mean for the _signing_ of the JWT part of the process? The best bet is to look at the docs for the token endpoint (https://jackhenry.dev/open-api-docs/admin-api/api-reference/v0/oauth-and-openid-connect/details/#/OpenID%20OAuth/post_a_oidc_provider_api_v0_token) and compare with the source code in https://github.com/Banno/banno-client-creds-helper/blob/master/lib/commands/client-assertion.js. We're not familiar with how Windows handles command line apps such as curl, so there is likely some translation based on that operating system's tools. – Jaime Lopez Jr. Jun 14 '22 at 23:57
  • Sorry for the delay on this - I had to switch to another project. At this point I'm simply referring to the process of making the authentication request. My understanding from the Banno docs is that the first part is making the authentication request to receive an authentication code, and then using that to request a bearer token. Our ultimate goal will be to use this process in our automation platform, and I'm pretty sure we won't be able to use the nodejs scripts to facilitate the requests. – James Jul 13 '22 at 22:50