Back to top
Home / Knox Cloud Authentication / Knox OAuth 2.0 Authentication /

Overview

Last updated June 26th, 2024

OAuth 2.0 is a token-based mechanism, using which your apps can securely access Knox cloud services APIs without exposing their credentials. To begin using Knox cloud services APIs, you need to generate an access token. The workflow for generating the token depends on whether you’re a UEM partner, customer, or a Managed Service Provider (MSP).

The two principal flows are:

  • Authorization code flow for UEM partners.

  • Client credentials flow for customers and MSPs.

Authorization code flow for UEM partners

This flow applies to you if you’re a UEM partner, looking to integrate Knox cloud services features into your platform, and you want to programmatically access your customer’s Knox cloud services on their behalf. Here’s how it works.

Before you begin

Register your app to generate its client ID and client secret.

Step-by-step authorization code flow

  1. Access request — The end user initiates access to the UEM app.

  2. PKCE challenge generation — The UEM app generates a code verifier, which is a random string and transforms it into a code challenge using a hashing algorithm.

  3. Authorization code request — The UEM app sends an authorization code request to the Knox authorization server, including the client ID, the client secret, and the code challenge.

  4. User authentication — The Knox authorization server redirects the request to the Identity Provider (IdP) for user authentication.

  5. Login screen display — The IdP displays the login screen to the end user.

  6. User login — The end user logs in by providing their credentials to the IdP.

  7. User authentication by IdP — The IdP authenticates the user’s credentials.

  8. Consent screen — The IdP displays a consent screen to the end user, asking for permission to allow the UEM app to access the required resources, which are determined by scopes. For more information, see Scopes for Knox cloud services APIs.

  9. Grant consent — The end user grants consent.

  10. Authorization code issuance — The Knox authorization server issues an authorization code and sends it back to the UEM app.

  11. Access token request — The UEM app sends the authorization code and the code verifier to the Knox authorization server to request access token.

  12. Access token issuance — The Knox authorization server validates the authorization code and the code verifier. If the credentials are valid, this proves that UEM app is authorized to make calls on behalf of the end user. The Knox authorization server then issues an access token and a refresh token to the UEM app.

  13. API call with access token — The UEM app uses the access token to call the Knox cloud services APIs to access the resources. The access token must be active when you make this API call.

  14. Data response — The Knox cloud services APIs respond with the requested data.

  15. Access token refresh — When the access token expires, the UEM app requests a new access token from the Knox authorization server using the refresh token.

  16. New access token — The Knox authorization server issues a new access token to the UEM app.

UEM sequence

For more information, see Knox OAuth 2.0 Authentication for UEMs.

Client credentials flow for customers and MSPs

This flow applies to you if you’re a Knox cloud services customer looking to programmatically access your Knox cloud services features, or you’re an MSP looking to programmatically access your managed customer’s Knox cloud services. Here’s how it works.

Before you begin

Register your app to generate its client ID and client secret.

Step-by-step client credentials flow

  1. Access request — The user initiates access to the client app.

  2. Access token request — The client app requests an access token from the Knox authorization server using its client ID and client secret.

  3. Access token issuance — The Knox authorization server authenticates the client application using the provided client credentials. If the credentials are valid, the authorization server issues an access token to the client app.

  4. API call with access token — The client app uses the access token to call the Knox cloud services APIs to access the resources. The access token must be active when you make this API call.

  5. Data response — The Knox cloud services APIs respond with the requested data.

UEM sequence

For more information, see Knox OAuth Authentication 2.0 for Customers and MSPs.

On this page

Is this page helpful?