home

Developer resources

ReltioProductsDeveloper resourcesRolesApplicationsObjectives
ReltioProductsDeveloper resourcesRolesApplicationsObjectives

Unify and manage your data

Show Contents

thumbnailDeveloper resources

Azure functions for Lifecycle Actions

Configure OAuth2 client credentials for Azure LCAs

Learn how to configure OAuth2 client_credentials authentication for Azure Lifecycle Actions (LCAs) so that Reltio can securely invoke your Azure Function through your identity provider.

Prerequisites

Before you begin, make sure that you have the following requirements:

  • An OAuth2 client in your identity provider that supports the client_credentials grant type.
  • The OAuth2 client ID.
  • The OAuth2 client secret.
  • The HTTPS token endpoint URL for your identity provider.
  • An optional scope value, if your identity provider requires one.
  • A Reltio admin bearer token for the tenant.
Important:

Reltio grants access to the PUT and DELETE endpoint on request. Before you proceed, create a support ticket with Reltio to enable the required privilege for your admin user.

OAuth2 client_credentials authentication enables Azure Lifecycle Actions (LCAs) to authenticate through your identity provider.

When this authentication method is configured, Reltio requests a bearer token from your token endpoint before it invokes your Azure Function.

To configure OAuth2 client credentials for Azure Function LCAs
  1. Send a PUT request to the Azure LCA OAuth2 configuration endpoint.
    PUT /tenants/{tenantId}/lcaConfig/azureConfig/secrets

    Include the following request headers:

    Authorization: Bearer <reltio-admin-token>
Content-Type: application/json
  2. Provide the OAuth2 configuration values in the request body.

    Include the token endpoint URL, client ID, client secret, and optional scope value.

    {
  "tokenUrl": "https://auth.example.com/as/token.oauth2",
  "clientId": "your-client-id",
  "clientSecret": "your-client-secret",
  "scope": "lca.invoke"
}

    If your identity provider does not require a scope value, omit the scope field.

    Make sure that the following values are valid before you submit the request:

    • tokenUrl must use https://.
    • clientId must not be blank.
    • clientSecret must not be blank.
    Note:

    If your Azure Function gateway validates token claims such as aud or iss, make sure that your identity provider is configured to return the expected values.

  3. Submit the request and confirm that Reltio stores the configuration.

    When you save the configuration, Reltio validates the values and performs a live client_credentials token request against the supplied token endpoint. If the token endpoint is unreachable or the credentials are rejected, the save fails and the existing configuration remains unchanged.

    The following example shows a complete curl request:

    curl -X PUT \
  "https://<your-reltio-environment>/reltio/tenants/<tenantId>/lcaConfig/azureConfig/secrets" \
  -H "Authorization: Bearer <reltio-admin-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "tokenUrl": "https://auth.example.com/as/token.oauth2",
    "clientId": "e356249a-b365-4679-b464-f6f5fd2fff06",
    "clientSecret": "your-client-secret-here",
    "scope": "lca.invoke"
  }'
    Note:

    Reltio authenticates to your token endpoint by using client_secret_post. If your identity provider requires client_secret_basic, create a support ticket with Reltio to request this capability.

    If the request succeeds, Reltio returns HTTP 200.

    {
  "successful": true,
  "message": "LCA Azure OAuth2 credentials stored successfully"
}
  4. Verify that the configuration is working.
    1. Trigger an Azure Function LCA on the tenant.
    2. Check your identity provider audit log, and confirm that it received a client_credentials token request for the configured client.
    3. Check your Azure Function logs or gateway logs, and confirm that the request includes a valid Authorization: Bearer header.

    If the LCA completes successfully, the OAuth2 configuration is working. Reltio caches and refreshes tokens automatically based on the expires_in value returned by your identity provider.

  5. Send a DELETE request if you want to remove the stored OAuth2 client credentials.
    1. Use the following endpoint:
      DELETE /tenants/{tenantId}/lcaConfig/azureConfig/secrets
    2. Include the Reltio admin bearer token in the request header:
      Authorization: Bearer <reltio-admin-token>

    If the request succeeds, Reltio returns HTTP 200.

    {
  "successful": true,
  "message": "LCA Azure OAuth2 credentials removed successfully"
}

    After the OAuth2 configuration is removed, Azure Function LCAs for the tenant use the Microsoft Entra ID authentication flow.

OAuth2 client credentials are now active for the tenant. Each Azure Function LCA invocation requests a bearer token from your identity provider and includes that token in the outbound request.

To configure Microsoft Entra ID authentication instead, see Configure Microsoft Entra ID for Azure LCAs.

Updated on May 29, 2026

Footer

You've found your way to a temporary environment. Content is not complete or final. Looking for Reltio documentation? Go to docs.reltio.com.

© 2026 The RELTIO® mark is a registered trademark of Reltio, Inc. in the United States and other countries; DataDriven, Reltio Context Intelligence Platform and Reltio Data Cloud are trademarks of Reltio, Inc. Other names or marks are trademarks of their respective owners.

Terms and Conditions, Privacy Policy, and