CMiC API and OAuth 2.0 Integration
NOTE: CMiC is introducing a global API request record limit beginning with Patch 22. For more info, see Integrations - Global 1,000 Limit.
CMiC supports OAuth client credential authentication with third-party identity providers, like Microsoft Azure. Client credentials flow enables secure, server-to-server authentication alongside CMiC API Security for a fully encrypted data exchange. Once enabled, a third-party identity provider generates a JWT access token, along with Client ID and Secret which is used to authenticate with CMiC. CMiC extends this protection through the support of API security allowing the Role Based Access Control (RBAC) for the CMiC API Service Account.
API Authentication Layers Broken Down
The API authentication and authorization flow in CMiC comprises of three layers:
1. Authentication Layer
OAuth on the Identity Provider (IdP) Active Directory, such as Azure or Google, is where the API user’s identity is verified before granting access to any API.
2. API Security Layer
CMiC API Security offers enhanced administrator security on top of IdP using role-based security (RBAC). At this level, administrators further restrict user access to specific CMiC endpoints by configuring roles and user assignment. This layer is especially important for accessibility across multiple integrations.
For example, one integration may allow creating employee records into CMiC whereas another restricts access to only querying employees from CMiC. In this case, there may be two separate roles defined - one to restrict the GET (Query) method on the pyemployee endpoint while the other allows the POST (Create) method.
3. Application Security Layer
CMiC natively applies a business logic layer securing access to applications and programs built into the API layer. This is considered basic authentication, using a user ID and/or client ID and user with password combination
For example, under the User Maintenance screen, administrators can control which users have access to jobs by defining job security groups to users and assigning jobs to each of these groups.
CMiC API OAuth Flow-Chart
This flow chart walks through the back-end verification processes used by CMiC OAuth and API Security to grant access with CMiC APIs.
Prerequisites
The following should be applied before using CMiC API Security with OAuth and a third party IdP, such as Azure.