Back to top
Home / Knox Cloud Authentication / Knox OAuth2 Authentication / Authorization code flow (3-legged OAuth2) /

Prerequisite — Get client ID and client secret

Last updated December 21st, 2023

The following are the steps to obtain client ID and client secret:

  1. Contact the Samsung Knox team to obtain the bootstrap application’s client ID and client secret. It is used to manage the rest of your OAuth2 clients.
    To enable OAuth2 client management without a user interface, Knox provides an initial OAuth2 client called the bootstrap app. This app has the client ID and client secret credentials needed to make API calls to create, update, and delete other OAuth2 clients in your organization. The bootstrap app is restricted to the oauth2.client:manage scope, limiting it to client management actions.

  2. You are required to rotate bootstrap client secret the first time you use it, and you may also choose to rotate your client secret at any time.
    For security reasons, you should rotate the bootstrap client secret using the provided API after your initial setup. Rotating the client secret removes Samsung’s knowledge of your active credentials.
    Here’s how you rotate your client secret (for more details, please refer to Knox OAuth2 Client Management API):

    1. Get an access token using the existing client credentials provided to you. (This access token is only to access your own account, not to gain access to your customer’s Knox services).

      curl 
--location 'https://api.samsungknox.com/ams/v1/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={BOOTSTRAP_CLIENT_ID}' \
--data-urlencode 'client_secret={BOOTSTRAP_CLIENT_SECRET}' \
--data-urlencode 'scope=oauth2.client:manage'

      Response:

      {
"access_token": "0_cxWW99WfqB6u7NbMjDjhm1",
"scope": "oauth2.client:manage",
"token_type": "Bearer",
 "expires_in": 599
 }

    2. Rotate the client secret using the access token.

      curl 
--location 
--request PUT 'https://api.samsungknox.com/ams/v1/oauth2/clients/z3w55213y2/clientSecret' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer 0_cxWW99WfqB6u7NbMjDjhm1'

  3. Create Knox OAuth2 application. Here is how to create Knox OAuth2 application (for more details, please refer to Knox OAuth2 Authorization Server API and Knox OAuth2 Client Management API):

    1. Get Access Token using the management application’s client credentials.

      curl 
--location 'https://api.samsungknox.com/ams/v1/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={BOOTSTRAP_CLIENT_ID}' \
--data-urlencode 'client_secret={ROTATED_CLIENT_SECRET}' \
--data-urlencode 'scope=oauth2.client:manage'

      Response:

      {
"access_token": "0_cxWW99WfqB6u7NbMjDjhm1",
"scope": "oauth2.client:manage",
"token_type": "Bearer",
"expires_in": 599
}

    2. Create OAuth2 client with the required parameters.

      curl 
--location 'https://api.samsungknox.com/ams/v1/oauth2/clients' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer 0_cxWW99WfqB6u7NbMjDjhm1' \
--data '{
"clientName": "Application Display Name",
"clientAuthenticationMethods": [
    "client_secret_post", 
    "client_secret_basic"
],
"authorizationGrantTypes": [
    "authorization_code",
    "client_credentials",
    "refresh_token"
],
"redirectUris": [
    "https://example-app.com/redirect"
],
"scopes": [
    "ke"
]
}'

      Response:

      {
"id": "651348be835eca63ce4d02c5",
"meta": {
    "createdOn": "2023-09-26T21:10:22.567+00:00",
    "updatedOn": "2023-09-26T21:10:22.567+00:00"
},
"customerId": "3709965726",
"clientName": "Application Display Name",
"clientId": "wmsjFFGyfoFU5ZEp7ezI06TNL0aAoeAV",
"clientSecret": "d4ZetFRDnENGDNcFFm1gx3R5Fid7LIWF",
"clientAuthenticationMethods": [
"client_secret_basic",
"client_secret_post"
],
"authorizationGrantTypes": [
    "refresh_token",
    "client_credentials",
    "authorization_code"
],
"redirectUris": [
    "https://example-app.com/redirect"
],
"scopes": [
    "ke"
]
}

Store your client ID and client secret securely as it is displayed only once. Other than including these credentials in API calls, never share your credentials or store them in a public repository.

Is this page helpful?