Authentication and Authorization
All HID Origo API endpoints require authentication using an OAuth 2.0 Bearer Token (access_token). Every request to the API must include a valid token in an Authorization HTTP header with the following format:
Authorization: Bearer {access_token}
These tokens are generated on behalf of "System Accounts", which are created an managed using the HID Origo Management Portal, using the "Organization Administration" view which is available to holders of the "Organization Administrator" role. Detailed instructions on creating and managing System Accounts is outside the scope of this document.
Identity Provider Information
The following table provides a summary of the Identity Provider properties:
| Endpoint | https://api.origo.hidglobal.com/authentication/customer/{organization_id}/token |
| Endpoint For Origo Identity Positioning | https://api.prod.oip.origo.hidglobal.com/authentication/customer/{organization_id}/token |
| OAuth 2.0 Support | Yes |
| OpenID Connect Support | Partial |
| Password Authentication | Yes |
| PKI Authentication | Yes |
| System Account Name Format | {organization_id}-OSRV123... |
| Token Lifetime | 1h (3600s) |
Password-Based Authentication
The following sample request and response demonstrates generating a Bearer Token using the client_credentials grant type. Any line breaks are added for readability only.
POST /authentication/customer/{organization_id}/token HTTP/1.1
Host: api.origo.hidglobal.com
Content-Type: application/x-www-form-urlencoded
client_id=12345-OSRV123456789
&client_secret=K5bkps7mtnq7VDQr
&grant_type=client_credentials
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"access_token": "78HOfQBBBXI3C22rm35DaTrjnKnTpz3WnSJ+INqE",
"id_token": "eyJraWQiOiIx...78Q",
"token_type": "Bearer",
"expires_in": 3600
}
Origo Identity Positioning Password-Based Authentication
The following sample request and response demonstrates generating a Bearer Token using the client_credentials grant type. Any line breaks are added for readability only.
POST /authentication/customer/{organization_id}/token HTTP/1.1
Host: api.prod.oip.origo.hidglobal.com
Content-Type: application/x-www-form-urlencoded
X-Request-ID: {organization_id}
client_id=12345-OSRV123456789
&client_secret=K5bkps7mtnq7VDQr
&grant_type=client_credentials
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"access_token": "78HOfQBBBXI3C22rm35DaTrjnKnTpz3WnSJ+INqE",
"id_token": "eyJraWQiOiIx...78Q",
"token_type": "Bearer",
"expires_in": 3600
}
Certificate-Based Authentication
Certificate-based authentication is supported through the use of JSON Web Tokens (JWT).
Pre-requisites
The System Account identifier and a token URL are used as input to the signed token. The following instructions provide guidance on how to configure a System Account for PKI authentication and to capture the properties to be included in the token.
- Create (or edit) a System Account and assign the appropriate role(s).
- In the PKI certificate section, upload the PKI certificate (public key):
- Save the settings to return to the Organization Administration screen.
- In the System Accounts section, obtain the Client ID and Token URL:
Base64 encoding
HID Origo expects that any file(s) uploaded only contain a single X.509 certificate encoded in Base64 format. For example: -----BEGIN CERTIFICATE----- MIIDUDCCAjgCCQCABzqmVj/tijANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJV UzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjEfMB0GA1UECgwWSElEIEds b2JhbCBDb3Jwb3JhdGlvbjEcMBoGA1UEAwwTb3JpZ28uaGlkZ2xvYmFsLmNvbTAe Fw0yMDExMTIwOTExMDVaFw0yMTExMTIwOTExMDVaMGoxCzAJBgNVBAYTAlVTMQsw CQYDVQQIDAJUWDEPMA0GA1UEBwwGQXVzdGluMR8wHQYDVQQKDBZISUQgR2xvYmFs IENvcnBvcmF0aW9uMRwwGgYDVQQDDBNvcmlnby5oaWRnbG9iYWwuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxKsP9WM547QoSdZrAhzZfXj3Ykbl 8RRBt3vN5Ad4eFc1eet/ISAPdy5V6+FK/4f0i3ntbPPtJHNZxhYc2PWFOhnPPlSw 7WbI2fZOC4LOeMEAVaEhmXDQ33FqA//XdNM17W4+oTo31gi5rAfLXyqnbG138drD FJthuT66QHOVHWn3RRG96ZUhSjwM6eoCCyWdyoEbBwXyL0YPpyzyGcSFvnYSPWb5 1gEPrSbFAl6ztqIRG6oQ01Re3eNFtICOJjTSq7ZlV+s6uyO1REWsYqTRaMTQ7uS0 b1EXf67kAKk8s1hmmMxXoseAhbfuoM42t8FgYjgvGvs5yZI6KxXBpSsHGQIDAQAB MA0GCSqGSIb3DQEBCwUAA4IBAQAdPG2WbM8g/MY1Fh5kwsoOOqLzg+urbgFumAuY qfojBoacfV5LJKFcIGxcp7GYc2lkb5CZLGrxt+iWEyrSVguoFdDfdr61Mz05Fp9e VZ+m/kgFmC9wNLwwhbd7n8ezNgeRy9sjxy83cSNpgVnIJELhW4ko8z0f7M/SPLIb EYLYpFy9N3jUjjM7qQMkgNS8RN+eMJmpyLhu1Y2Hae3wt1ras8zsKz3xrRduuS0G 1ymoRN/rg1A2zOO2yERJb6vtkl/AtsLkBBXLfco2iQ2wlDSHgsjpIRKYmxDZLfem iwec/ntR41YN9oSXfFssFoXOK4nqYEwMZrQKbx/b3nU8mb6N -----END CERTIFICATE----- ```
Generating a Signed JWT
With the System Account created and a PKI certificate uploaded, a JWT can be created and signed. The token needs to include certain claims:
| Property | Explanation |
|---|---|
sub | Subject: The identity the token was issued for. In this case, the System Account Client ID. |
iss | Issuer: The entity that issued the token. In this case, the System Account Client ID. |
aud | Audience: The target audience for the token. Should be set to the value of Token URL captured for the System Account. |
nbf | Not Before: A timestamp (represented as seconds since January 1, 1970, 00:00:00 GMT) indicating the moment after which the token can be validated. Typically set to the current timestamp, minus a few milliseconds. |
iat | Issued At: The time at which the token was issued. Typically the same value as nbf. |
exp | Expiration: The time at which the token will expire. For example an hour later than iat. |
jti | JWT Identifier: A random value to ensure the token is unique. The recommendation is to use a 128 bits minimum alphanumeric random, such as a RFC-4122 UUID. |
Below is a sample payload using the values from previous examples. This should be signed using the private key to produce a valid JWT:
JWT payload
{
"sub": "1234-OSRV123456789",
"iss": "1234-OSRV123456789",
"aud": "https://auth-us.api.hidglobal.com/idp/1234567890abcdefgh/authn/token",
"nbf": "1597219200", // 2020-08-12 08:00 UTC
"exp": "1597222800", // 2020-08-12 09:00 UTC
"jti": "06aa8891-5ea9-4425-8840-52f657fe768b",
"iat": "1597219200", // 2020-08-12 08:00 UTC
}
This payload is then signed using the private key and converted to a Base64 encoded string which can be used in API requests. Additional guidance and sample applications in multiple languages are available as part of the HID Global Authentication Service Documentation.
POST /authentication/customer/{organization_id}/token HTTP/1.1
Host: api.origo.hidglobal.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_assertion=ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUo5LmV5SnpkV0lpT2lJeE1qTTBMVTlUVWxZeE1qTTBOVFkzT0RraUxDSnBjM01pT2lJeE1qTTBMVTlUVWxZeE1qTTBOVFkzT0RraUxDSmhkV1FpT2lKb2RIUndjem92TDJGMWRHZ3RkWE11WVhCcExtaHBaR2RzYjJKaGJDNWpiMjB2YVdSd0x6RXlNelExTmpjNE9UQmhZbU5rWldabmFDOWhkWFJvYmk5MGIydGxiaUlzSW01aVppSTZJakUxT1RjeU1Ua3lNREFpTENKbGVIQWlPaUl4TlRrM01qSXlPREF3SWl3aWFuUnBJam9pTURaaFlUZzRPVEV0TldWaE9TMDBOREkxTFRnNE5EQXROVEptTmpVM1ptVTNOamhpSWl3aWFXRjBJam9pTVRVNU56SXhPVEl3TUNKOS5IY05tdmRjbEZsX2VzeG9aZXo1M0prVTlURWNSZGFsZ2NxYmUwWEJwR3pz
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"access_token": "78HOfQBBBXI3C22rm35DaTrjnKnTpz3WnSJ+INqE",
"id_token": "eyJraWQiOiIx...78Q",
"token_type": "Bearer",
"expires_in": 3600
}
Authentication Expiration Policy for System Accounts
It is recommended to monitor token expiration timelines and update them as required to prevent any disruptions.
PKI Based Authentication:
- Certificates uploaded for system accounts during PKI-based authentication, the default expiration period is one year.
- If the certificate expires and stops functioning, re-upload the certificate to restore functionality and ensure uninterrupted operation.
Password Based Authentication:
- For system accounts enabled with password-based authentication, the default expiration period is five years.
Token Expiry
All tokens have an expiry threshold and a session timeout. The expires_in property will include the maximum lifetime of the token in seconds, which is currently 3600 but is subject to change. Developers are encouraged to make this value configurable or dynamically read it from the token. Attempting to use an expired token will result in a HTTP 401 Unauthorized response. Any application consuming HID Origo APIs must support requesting a new token on expiry.
Token Session
In addition to the expiry threshold, HID Origo will consider authentication tokens expired if not used within 5 minutes of creation.
Application Identifiers
In addition to a System Account and associated credentials, an Application Identifier and version must be provided with each request using custom HTTP headers:
Application-IDApplication-Version
The Application Identifier is provided and approved for use in production once the application has been certified through the Technology Partner Service program.
A sample request including the Application-ID and Application-Version headers is provided below:
Application Identifiers
GET /credential-management/customer/{organization_id}/users
Host: ma.api.assaabloy.com
Authorization: Bearer 78HOfQBBBXI3C22rm35DaTrjnKnTpz3WnSJ+INqE
Content-Type: application/vnd.assaabloy.ma.credential-management-2.2+json
Application-ID: HID-Sample-Application
Application-Version: 2.3
Data Security
HID Origo supports TLS version 1.2 and above, to ensure the security and privacy stays ahead of potential vulnerabilities and to meet regulatory requirements.