Registering your OAuth client in Celonis Platform
OAuth can be used as an authentication method for Celonis Platform, which offers a more secure and flexible way of granting permissions to clients (applications) compared to API keys.
For an overview of the differences between OAuth 2.0 and using Application or API Keys, see: Using OAuth 2.0.
To register your OAuth clients in Celonis Platform:
In your Celonis Platform instance, go to Admin & Settings > Applications.
In the upper-right corner, click Add new application and select OAuth Client.
Give your connection a meaningful name.
The supported OAuth grant type is “Client Credentials”.
Select one of the following authentication methods:
Client secret basic: With this method, the client uses the Authorization header to send the
client_idandclient_secretin the following format: Authorization: Basic encoded_credentials.Here the value of encoded_credentials corresponds to the base64 encoding of OAuth client’s client_id:client_secret.
Client secret post: The client authenticates itself by providing the
client_idandclient_secretin the HTTP request body as a form parameter.
Click Define scopes.
Scopes allow you to define areas to which the client should have access within its current permissions. You can't grant additional permissions to a client using scopes.
Select resource types within Celonis Platform to which the clients will have access based on granted permissions. Chosen scopes give the client access to specific Celonis Platform APIs.
Click Create.
As scopes only allow access to the APIs, the created OAuth client should now be assigned permissions to resources behind those APIs. After creating a client in Celonis Platform, developers receive client credentials: client ID and client secret. Every scope should have a name and a description, which unambiguously explains which APIs can be accessed with the scope based on the permissions granted to the client.
For security reasons, you may want to regenerate the client secret using the following steps:
In your Celonis Platform instance, go to Admin & Settings > Applications.
Find your OAuth client and click the three-dot menu next to it.
Select Regenerate secret.
Once you generate a new client secret, make sure to update the secret in all integrations that use that client.
During OAuth authorization flows, users can give consent to OAuth clients to access resources on their behalf. To view which OAuth clients have been granted consent, go to Edit Profile and then to the section OAuth Client Management. From there you can view which applications (OAuth clients) have been granted consent and revoke that consent.