Skip to content

Authentication Guide

The LAAVAT PKI and Signing Platform uses JSON Web Tokens (JWT) for user and service authentication. This document outlines the methods to obtain JWT tokens programmatically and how to use them in API requests.

JWT tokens must be included in the Authorization header as a Bearer token in API calls. Example:

curl -H "Content-Type: application/json" -H "Authorization: Bearer <JWT_TOKEN>" https://app.laavat.io/<CustomerName>/api/v1/products

Entra ID Authentication

Prerequisites

  • Install the Azure CLI (az) to use the az commands.
  • Obtain the Resource API identifier from your Company IT support. It follows the format: api://66794fdd-9e05-456e-86cd-a2f990796c48.

Normal User Authentication

For interactive authentication, users log in via the Azure CLI.

  1. Log in to Azure: Run the following command and provide credentials when prompted: 
    az login --allow-no-subscriptions
  2. Fetch JWT Token: Use the following command to obtain a JWT token: 
    az account get-access-token --resource <Resource_API>
    • Replace <Resource_API> with the Resource API identifier provided by your IT support.
    • Extract the accessToken field from the JSON response for use in API requests.

Service Account Authentication

For non-interactive scenarios (e.g., CI/CD pipelines), use a Service Principal created in Entra ID.

  1. Obtain Credentials:

    • Tenant ID: Provided by Company IT support (format: 22794fdd-9e05-456e-86cd-a2f990796c48).
    • Client ID: Generated when the Service Principal is created.
    • Client Secret: Generated when the Service Principal is created.
    • Resource API: Provided by Company IT support

  2. Fetch JWT Token: Use the following curl command to obtain a JWT token: 

    curl -X POST "https://login.microsoftonline.com/<Tenant_ID>/oauth2/v2.0/token" \
     -d "grant_type=client_credentials" \
     -d "client_id=<Client_ID>" \
     -d "client_secret=<Client_Secret>" \
     -d "scope=<Resource_API>/.default"

    • Replace <Tenant_ID>, <Client_ID>, <Client_Secret>, and <Resource_API> with the appropriate values.
    • Extract the access_token field from the JSON response for use in API requests.

Google Authentication

Prerequisites for Google

  • Install the Google Cloud SDK to use the gcloud command.
  • Obtain the Audience identifier from your Company IT support. It follows the format: 1111154-5435jdfs.apps.googleusercontent.com.

Normal Google User Authentication

Using gcloud cli

  1. Log in via Browser: 

    gcloud auth login

    • Login with your credentials in the browser

  2. Fetch JWT Token: Use the following command to obtain a JWT token: 

    gcloud auth print-identity-token

    • Use the returned token in API requests.

Using the browser and Laavat

  1. Log in via Browser via LAAVAT PKI and Signing Platform: Navigate to the following URL and authenticate: 

    https://app.laavat.io/<CustomerName>/api/v1/login

    • Replace <CustomerName> with your organization’s identifier.

  2. Retrieve JWT Token: After authentication, copy the id_token value from the response for use in API requests.

Google Service Account Authentication

  1. Store Credentials: Save the service account credentials to a JSON file (e.g., /tmp/googleuser.json).

  2. Activate Service Account: Run the following command to activate the service account: 

    gcloud auth activate-service-account --key-file=/tmp/googleuser.json

  3. Fetch JWT Token: Use the following command to obtain a JWT token: 

    gcloud auth print-identity-token --audiences="<Audience>"

    • Replace <Audience> with the Audience identifier provided by your IT support.
    • Use the returned token in API requests.