Authentication¶

To ensure only valid users can use the endpoints, all Cross Asset Services are only accessible by authenticated users using OpenID Connect. There are two mechanisms that can be used to generate access tokens that can be passed to the API, implicit flow and client credentials flow.

For direct API access, client credentials flow will be the mechanism used and is what we will discussing in this documentation. Implicit flow is used for application user access and is outside the scope of this discussion.

Obtaining Access¶

Before you can access any of the API endpoints, you must first be setup in the authentication system as an IHS Markit customer. Please contact your usual IHS Markit support representative who can advise on the process for getting this setup.

Once this setup is completed, you will be assigned two pieces of information that will be used to uniquely and securely identify any calls you make, these being a client_id and a client_secret. The client_id can be thought of as a username and would be something like api-client-name.client. The client_secret is equivalent to a password and would be a UUID (Universally Unique Identifier) and look something like d1999eea-b46b-11e9-a2a3-2a2ae2dbcce4.

You will be assigned two different secrets, one for each of the Environments.

Getting a Token¶

Once this information has been received, you can then use this information to call the CAS identity provider in order to obtain an access token. This token takes the form of a JWT (JSON Web Token) which is a signed token that uniquely identifies a consumer and cannot be altered without invalidating it (due to the signature check). To see the full steps required to obtain a token, please reference Get a Token.

Authorization¶

In addition to Authentication which is to establish who the caller is, the other aspect of API security is Authorization. Authorization is concerned with establishing what a caller can do.

For the CAS API endpoints, this mechanism is scopes. Each major functional permission for a service has a scope associated with it, and these scopes are assigned to specific client credentials to control the access for each consumer. As such, you will be limited on the services and major functional areas that you have been enabled for - please contact your IHS Markit representative for more information about getting additional features enabled.

An example scope would be deals-read that gives access to read functionality in the deals service. As each service defines it’s own scopes, please reference the individual service documentation section for details of the available scopes. If you do not have the required scope to perform a specific function on an API, you will receive a 403 Forbidden http response and a response payload similar to the following:

{
    "message": "Invalid Scope",
    "correlationId": "431b8626-287b-46b5-97f0-be385f63246c",
    "code": "AccessDenied",
    "codeInfoUrl": "/error-codes"
}

By default when you obtain an access token it will include all the scopes that are assigned to your client credentials, but if you do not want to grant full access to a specific call you may specify a distinct list instead. This is accomplished by including an extra parameter called scope when requesting the access token, which is a comma delimited list of the scopes required. A sample curl request for this parameter would like like:

-d 'grant_type=client_credentials&scope=deals-read%20permissions-read%0A%0A&client_id=<client_id>&client_secret=<client_secret>''