Accelerate the Value of Data

Changing authentication at the origin

Learn about the process of changing authentication at the origin when migrating from service accounts to client credentials.

Changing the authentication at the origin is a critical step in migrating from service accounts to client credentials. This ensures that all instances where the service account is used are properly updated to use the new client credentials.

When transitioning from service accounts to client credentials, it’s essential to identify all locations where the old service account credentials are used. This includes scripts, applications, and integrations that rely on the service account for authentication. Every single place should be identified and migrated. Otherwise, any remaining automated processes may fail.

Changing the authentication

Here is an outline of the steps:

  1. Identify all usage points:

    Review your scripts, applications, and integrations to find where the service account is used.

    Document all these points to ensure none are missed during the transition.

  2. Replace with client credentials:

    Update each identified usage point to use the new client credentials.

    Ensure the new credentials are securely stored and managed.

  3. Update approved authentication requests:

    Ensure that the authentication requests are:

    • Using the client_credentials grant
    • Sending the credentials client_id:client_secret encoded with Base64 in the Basic Auth header.

    Approved authentication request:

    
                            POST https://auth.reltio.com/oauth/token
                            Authorization: Basic <BASE64(client_id:client_secret)>
                            Content-Type: application/x-www-form-urlencoded
                            Body:
                            grant_type=client_credentials
                        

Leveraging the Security Audit Log

Use the Security Audit Log to track origin IP addresses which can help identify where a service account is being used. For more information, see topic Security Audit Log API. Please remember that this API can pull up to 1 day of logs: the time interval between start and end cannot exceed 24 hours.
Note:

ROLE_ADMIN_CUSTOMER is required to perform these operations.

Sample Security Audit Log API request:


                POST https://auth.reltio.com/audit/export
                Authorization: Basic <BASE64(client_id:client_secret)>
                Content-Type: text/plain
                Body:
                
                {
                    "customerId": "<YOUR_CUSTOMER_ID>",
                    "start": "2024-08-01T00:00:00Z",
                    "end": "2024-08-01T23:59:00Z",
                    "usernames": ["<YOUR_SERVICE_ACCOUNT>"],
                    "events": ["LOGIN"],
                    "eventTargetObjects": [],
                    "format": "JSON"
                }
            

Sample Security Audit Log response:


                [
                    {
                        "timestamp": "2024-08-01T23:58:58.956918Z",
                        "ipAddress": [
                            "51.5.220.13"
                        ],
                        "userName": "<YOUR_SERVICE_ACCOUNT>",
                        "eventName": "LOGIN",
                        "eventObject": "",
                        "eventDetail": [
                            {
                                "grant_type": "password"
                            }
                        ]
                    }
                ]
            

Need help?

If you encounter any issues or have questions during this process, please contact us, see topic Need some help?.