API Authentication with OAuth2.0

API Authentication using OAuth

CMiC supports OAuth client credential authentication with third-party identity providers, like Microsoft Azure. Client credentials flow enables secure, server-to-server authentication alongside CMiC API Security for a fully encrypted data exchange. Once enabled, a third-party identity provider generates a JWT access token, along with Client ID and Secret which is used to authenticate with CMiC. CMiC extends this protection through the support of API security allowing the Role Based Access Control (RBAC) for the CMiC API Service Account.

1. Authentication Layer

OAuth on the Identity Provider (IdP) Active Directory, such as Azure or Google, is where the API user’s identity is verified before granting access to any API.

2. API Security Layer

CMiC API Security offers enhanced administrator security on top of IdP using role-based security (RBAC). At this level, administrators further restrict user access to specific CMiC endpoints by configuring roles and user assignment. This layer is especially important for accessibility across multiple integrations.

For example, one integration may allow creating employee records into CMiC whereas another restricts access to only querying employees from CMiC. In this case, there may be two separate roles defined - one to restrict the GET (Query) method on the pyemployee endpoint while the other allows the POST (Create) method.

3. Application Security Layer

CMiC natively applies a business logic layer securing access to applications and programs built into the API layer. This is considered basic authentication, using a user ID and/or client ID and user with password combination

For example, under the User Maintenance screen, administrators can control which users have access to jobs by defining job security groups to users and assigning jobs to each of these groups.