OAuth Server-to-Server credential implementation guide
The following guide goes over finer implementation details for OAuth Server-to-Server credentials. At the end of the guide is a list of recommended industry-standard OAuth2 libraries. Before you proceed, we recommend you become familiar with the server to server authentication credentials in our server to server authentication guide.
Table of contents
- Setting up the OAuth Server-to-Server credential
- Generate access tokens
- Generating access tokens programmatically
- Generating access tokens using standard OAuth2 libraries
- Rotating client secrets
- Rotating client secrets programmatically
Setting up the OAuth Server-to-Server credential
Depending on the API or an Event to your project on the Adobe Developer Console, you can select the OAuth Server-to-Server credential. The OAuth Server-to-Server credential is available for all APIs and Events supporting the Service Account (JWT) credential (deprecated).
Credential Name
An admin in your organization can manage all OAuth Server-to-Server credentials by visiting the Adobe Admin Console > Users > API credentials. To find the correct API credential easily on the Admin Console, you can provide your OAuth Server-to-Server credential a name during credential setup.
This name can be modified later in your project by visiting the OAuth Server-to-Server credential overview page.
Selecting Product Profiles
Depending on the API or Event you add, you may be asked to select product profiles to assign to your credential. These product profiles govern what data your application can/cannot access in your organization.
The product profile selection works the same way as it does for Service Account (JWT) credentials.
Generate access tokens
Generating access tokens for experimentation with the OAuth Server-to-Server credential is straightforward. You can use the 'Generate access token' button on the credential overview page or copy the cURL command and use the command line to generate an access token for quick use.
Generating access tokens programmatically
See this cURL request to understand how your integration or application can generate access tokens programmatically.
Copied to your clipboardcurl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \-H 'Content-Type: application/x-www-form-urlencoded' \-d 'client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&grant_type=client_credentials&scope={SCOPES}'
Your integration can generate access tokens when needed. However, it is a good practice to cache access tokens for reuse until they expire. Integrations should avoid generating a new access token when a previously generated access token has not expired and can be reused. Adobe can throttle your integration if it generates too many access tokens.
Access tokens usually expire in 24 hours. To check the expiry time of an access token, see the expires_in field in the API response returned by the above cURL request. Note: The expires_in time is in seconds. See API reference.
Generating access tokens using standard OAuth2 libraries
We recommend using a standard OAuth 2.0 library to implement your application's access token generation logic. The OAuth community site https://oauth.net has a huge list of community-maintained OAuth2 libraries. Some widely known and maintained OAuth2 libraries from that list are -
- PassportJS (Node.js)
- Spring Security (Java)
- Authlib (Python)
- View more libraries at https://oauth.net/code/
Using industry-standard libraries is the quickest and most secure way of integrating with OAuth. We recommend developers diligently pick the OAuth 2.0 library that works best for their application.
Rotating client secrets
The OAuth Server-to-Server credentials provide freedom from automatically expiring certificates used in the Service Account (JWT) credential that must be updated annually. Instead, the OAuth Server-to-Server credential allows you to rotate your client secret as needed.
Rotating your application's client secrets is highly recommended in case of a leak or unauthorized access. Furthermore, rotating client secrets periodically is an industry-standard practice that strengthens your application security posture.
You can rotate secrets for your credential through the Dev Console UI and programmatically through the API.
To rotate client secrets through the UI, follow the steps below on the credential overview screen -
Add a new client secret to your credential .
Update your application to replace your old client secret with the new one you added.
Check the client secret last used timestamp to make sure your application is no longer using the old client secret.
Once sure that you have successfully replaced the client secret, you can delete the old client secret.
Once a client secret is deleted, you cannot restore it. So be extra sure you have replaced the old client secret with the new one in all locations.
Rotating client secrets programmatically
Follow the steps below to rotate client secrets programmatically for the OAuth Server-to-Server credential.
Add I/O Management API to your project: This API allows your credential to read, add, and delete its client secrets.
Go to the OAuth Server-to-Server credential overview page and grab the URL. For example -
Copied to your clipboardhttps://developer.adobe.com/console/projects/23294/4566206088344958295/credentials/436084/details/oauthservertoserverGrab the value of
org idandcredential idfrom the URL by comparing it to the templated URL below.Copied to your clipboardhttps://developer.adobe.com/console/projects/{orgId}/{projectId}/credentials/{credentialId}/details/oauthservertoserverConstruct the secrets request endpoint by substituting the value of
org idandcredential idin the URL below.Copied to your clipboardhttps://api.adobe.io/console/organizations/{orgId}/credentials/{credentialId}/secretsCopied to your clipboardhttps://api.adobe.io/console/organizations/23294/credentials/436084/secretsGenerate an access token using the existing client secret (see the section on generating access tokens). Make sure to include scopes that the I/O Management API requires:
Copied to your clipboardAdobeID, openid, read_organizations, additional_info.projectedProductContext, additional_info.roles, adobeio_api, read_client_secret, manage_client_secretsCall the API to list all existing client secrets. Note: you can grab your
client_idfrom the OAuth Server-to-Server credential overview page.Copied to your clipboardcurl -X GET 'https://api.adobe.io/console/organizations/{orgId}/credentials/{credentialId}/secrets' \-H 'Authorization: Bearer {ACCESS TOKEN GENERATED IN STEP 5}'-H 'x-api-key: {CLIENT ID FROM STEP 6}'Call the API to add another client secret to your credential. The API response contains the
client_secretthat was added and itsuuid. Thisclient_secretwill never be returned in plain text by any other API response. However, you can still find it on the Developer Console UI.Copied to your clipboardcurl -X POST 'https://api.adobe.io/console/organizations/{orgId}/credentials/{credentialId}/secrets' \-H 'Authorization: Bearer {ACCESS TOKEN GENERATED IN STEP 5}'-H 'x-api-key: {CLIENT ID FROM STEP 6}'Update your application to use the new client secret.
Call the API to list all client secrets for your credential. You can confirm that you have successfully updated the client secret in your applications by comparing the last used timestamps for the secrets. Grab the value of the
uuidfield for your older secret that you wish to delete.Call the API to delete the old client secret from your credential by passing the
uuidin the URLCopied to your clipboardcurl -X DELETE 'https://api.adobe.io/console/organizations/{orgId}/credentials/{credentialId}/secrets/{uuid from step 9}' \-H 'Authorization: Bearer {ACCESS TOKEN GENERATED IN STEP 5}'-H 'x-api-key: {CLIENT ID FROM STEP 6}'
