Generate a Knox cloud services signed access token

Retrieving and signing a Knox cloud services access token forms the second stage of third party integration with Knox cloud services. Ensure you have a valid Samsung Account access token before proceeding. For more information on retrieving a Samsung Account access token, see Authorize a user with Samsung Account.

1. Sign your Client Identifier with your Samsung Account access token

Sign your Knox Client Identifier with the Knox token utility using your Samsung Account access token. For more information on downloading and using the Knox token utility, see Knox API token library.

You can get your public key using KnoxTokenUtility.generateBase64EncodedStringPublicKey() as shown:

// Downloaded from the Knox Portal 
    String clientIdentifier = <Your Client Identifier>; 
    String downloadedKeys = <insert path to keys.json>; 
 
    // Retrieved using the Samsung Account token API  
    String saAccessToken = < Your Samsung Account access token >; 


    String publicKey = KnoxTokenUtility.generateBase64EncodedStringPublicKey(
                                    new FileInputStream(new File(downloadedKeys))); 
    String signedClientIDJWT = KnoxTokenUtility.generateSignedclientIdentifierJwtWithIdpAccessToken(
                                    new FileInputStream(new File(downloadedKeys)),
                                    clientIdentifier, 
                                    saAccessToken);

2. Get and sign a Knox cloud services session token

You must first establish a Knox cloud services session on behalf of the logged-in customer by requesting a token from the sessiontoken endpoint. You’ll use this session token to request a Knox cloud services access token.

A session’s validity can either be tied to the identity provider’s session (default) or be explicitly set by including a value for validityForSessionTokenInHours in the request body.

Example sessiontoken request body:

    { 
        "clientIdentifierJwt": < signedClientIDJWT >, 
        "base64EncodedStringPublicKey": < publicKey >, 
        "validityForSessionTokenInHours": 24 
    }	

Now sign your session token with the Knox token utility:

    String signedsessionTokenJwt = KnoxTokenUtility.generateSignedsessionTokenJwt(	
					new FileInputStream(new File(downloadedKeys)), 
					< Your unsigned Knox cloud services session token >);

4. Get a Knox cloud services access token

Generate your access token by passing your signed session token and public key to the accesstoken endpoint. Optionally set the token’s validity by including a value for validityForAccessTokenInMinutes in the request body.

Example accesstoken request body:

    { 
        "sessionTokenJwt": < signedsessionTokenJwt >, 
        "base64EncodedStringPublicKey": < publicKey >, 
        "validityForAccessTokenInMinutes": 30 
    }

Example response:

    { 
        "accessToken": "<Your unsigned Knox cloud services access token >"
    }

5. Sign your Knox cloud services access token

Sign your access token with your private key using the Knox token utility. The access token will be valid for 30 minutes once signed.

    String signedAccessToken = KnoxTokenUtility.generateSignedAccessTokenJWT(
                                   new FileInputStream(new File(downloadedKeys)), 
                                   < Your unsigned Knox cloud services access token >);

6. Start making Knox cloud services API calls

This completes the third party integration tutorial. You can now start making calls to Knox cloud services APIs to access end customer data with your signed Knox cloud services access token.

Include your signed Knox cloud services access token as a header parameter when requesting resources on behalf of your customer. Check out step 5 of the KME tutorial to see an example of using the KME API to assign device profiles.

You can also browse the detailed KME API reference, which includes example calls.

See also

• Authorize a user with Samsung Account
• Error codes
• Knox cloud services Third Party Integration (Authentication) REST API reference