Skip to main content

Celonis Product Documentation

Extractor Builder - Authentication Methods

This page describes the supported authentication methods in detail and supports you evaluate which method to choose for your desired connection. We recommend comparing the described authentication mechanisms and comparing them with the API documentation of your source system to evaluate which method fits your scenario.

Every method requires a different input for configuring

  1. When configuring the authentication method itself → This configuration is identical for a given source system

  2. When creating a new data connection → This configuration is specific to the specific instance of the source system to which you intend to connect.

Authentication Method

Description

Input (when configuring the authentication method)

Input (when creating a new data connection)

Example Request

Basic Authentication

User inputs required in the data connection:

  • Username

  • password

To authenticate with the source system, the username and password provided in the data connection is encoded with Base64. This encoded string will be prefixed with "Basic" and sent to every request's Authorization header.

 

  • Username

  • Password

Header:

"Authorization: Basic bG9sOnNlY3VyZQ=="

Bearer Authentication

User inputs required in the data connection:

  • Bearer token

To authenticate with the source system, this token will be prefixed with "Bearer" and sent to every request's Authorization header.

 

  • Token

Header:

"Authorization: Bearer token"

API Key Authentication

User inputs required in the data connection:

  • API key

To authenticate with the source system, this API Key will be sent in the "x-api-key" header of every request.

  • API Key Header

  • API Key

Header: "x-api-key: YOUR-API-TOKEN”

OAuth2 (Authorization Code)

User inputs required in the data connection:

  • Client ID

  • Client secret

To authenticate with the source system, the client ID and client secret are passed to the authorization endpoint to request authorization to access the service resources in the browser (when saving the connection). If the user is authorized, an authorization grant is passed. Using this authorization grant an access token needs to be requested from the Get Token endpoint. The returned token is then used for all upcoming requests.

The Grant Type authorization_code is being used. The client credentials can be sent as a Basic Auth header (default) or via the request body.

  • Authorize Endpoint

  • Get Token Endpoint

  • Grant Type (authorization_code)

  • Scopes

  • Client ID

  • Client Secret

Header: "Authorization: Bearer token"

For Access Token, we send a request to the Get Token Endpoint with content:

“grant_type: <GRANT_TYPE>”

“client_id: <CLIENT_ID>”

“client_secret: <CLIENT_SECRET>

→ There is no test connection option, because you will get redirect to the UI of the source system for authentication.

OAuth2 (Authorization Code + Refresh Token)

User inputs required in the data connection:

  • Client ID

  • Client secret 

In order to authenticate with the source system, the client ID and client secret are passed to the authorization endpoint to request authorization to access the service resources in the browser (when saving the connection). If the user is authorized, an authorization grant is passed. Using this authorization grant, an access token needs to be requested from the Get Token endpoint. The returned token is then used for all upcoming requests. As the token in that connection scenario is limited to a certain period of time, a new one is automatically recreated after the old one expires using the refresh token.

The Grant Types authorization_code and refresh_token are being used. The client credentials can be sent as a Basic Auth header (default) or via the request body.

  • Authorize Endpoint

  • Get Token Endpoint

  • Grant Type (authorization_code)

  • Scopes

  • Client ID

  • Client Secret

Header: "Authorization: Bearer token"

To refresh the Access Token, we send a request to the Get Token Endpoint with content:

“grant_type: refresh_token”

“refresh_token: <REFRESH_TOKEN>“

And with Header

(generated from client id and secret):

"Authorization: Basic bG9sOnNlY3VyZQ=="

→ There is no test connection option, because you will get redirect to the UI of the source system for authentication.

OAuth2 (Client Credentials)

User inputs required in the data connection:

  • Client ID

  • Client secret 

To authenticate with the source system, the client ID and client secret are passed to the Get token endpoint to get an access token. The returned token is then used for all upcoming requests.

The Grant Type client_credentials is being used. The client credentials are sent via the request body.

  • Get Token Endpoint

  • Grant Type (client_credentials)

  • Client ID

  • Client Secret

Header: "Authorization: Bearer token"

For Access Token, we send a request to the Get Token Endpoint with content:

“grant_type: client_credentials”

“client_id: <CLIENT_ID>”

“client_secret: <CLIENT_SECRET>

OAuth2 (Resource Owner)

User inputs required in the data connection:

  • Client ID

  • Client secret

  • Username

  • Password

The client ID, client secret, username, and password are passed to the Get token endpoint to get an access token to authenticate with the source system. The returned token is then used for all upcoming requests.

The Grant Type password is being used. The client credentials are sent via the request body.

  • Get Token Endpoint

  • Grant Type (password)

  • Username

  • Password

  • Client ID

  • Client Secret

Header: "Authorization: Bearer token"

For Access Token, we send a request to the Get Token Endpoint with content:

“grant_type: password”

“username: <USERNAME>”

“password: <PASSWORD>”

“client_id: <CLIENT_ID>”

“client_secret: <CLIENT_SECRET>

Note: Client secret is used only if it is specified.

OAuth2 (JWT Bearer with Private Key)

User inputs required in the data connection:

  • Private Key

  • Audience (optional)

  • Issuer (optional)

  • Subject (optional)

To authenticate with the source system, the Private Key, the Issuer, and Subject Label are sent to the Get token endpoint and validated based on the Audience. The returned token is then used for all upcoming requests.

The respective Grant Type can be found in the API documentation of the system you want to connect to. The audience, Issuer, Subject Label, and Private Key provided in the data connection are encoded with Base64.

  • Get Token Endpoint

  • Grant Type (default: urn:ietf:params:oauth:grant-type:jwt-bearer)

  • Scopes

  • Signature Algorithm

  • Private Key

  • Audience (optional)

  • Issuer (optional)

  • Subject (optional)

Header: "Authorization: Bearer token"

For Access Token, we send a request to the Get Token Endpoint with content:

“grant_type: <GRANT_TYPE>”

“client_assertion: <JWT_ASSERTION>”

→ the JWT_ASSERTION: is the assertion generated from the Private Key and the selected Signature Algorithm

OAuth2 via Proxy

User inputs required in the data connection:

  • Client ID

  • Client secret

  • Username

  • Password

The client ID, client secret, username, and password are passed to the Get token endpoint to get an access token to authenticate with the source system. The returned token is then used for all upcoming requests.

Client ID, client secret, username, and password provided in the data connection are encoded with Base64 into one string

  • Get Token Endpoint

  • Content Type: application/x-www-form-urlencoded

  • Username

  • Password

  • Client ID

  • Client Secret

Header: "Authorization: Bearer token"

For Access Token, we send a request to the Get Token Endpoint with headers:

“content-type: <CONTENT_TYPE>”

“Authorization: <AUTH_STR>”

→ the AUTH_STR has the value of Base64 encoded credentials.

The encoded part is generated from Client ID, Client Secret, Username and Password.