3 Accessing the GraphQL APIs Using Utility-Scoped Tokens
The Oracle Utilities GraphQL APIs require proper authentication through access tokens and base URL construction to gain access and use of the APIs. A user can obtain a utility-scoped access token that allows retrieving user data from the GraphQL APIs for all accounts within a utility.
Retrieving Utility-Scoped Access Tokens
The GraphQL APIs support the OAuth 2.0 standard for authentication. OAuth 2.0 is an authorization framework that enables an application or a service to obtain limited access to a protected HTTP resource. In OAuth, the applications are called clients, and clients access protected resources by presenting an access token to the HTTP resource.
OAuth 2.0 is typically used in the "three-legged" fashion, in which an end-user authorizes a third-party to access their data. However, the Oracle Utilities GraphQL API uses "two-legged" authorization, which allows a trusted developer (for example, a utility company) to access all data Oracle Utilities provides.
Obtaining Credentials
Provide the following information, using https://support.oracle.com, to your Oracle Utilities Customer Success Representative:
- Contact name
- Contact email
- The specific utility code to access if multiple operating companies exist
Oracle Utilities provides you with the following keys:
-
client_id
-
client_secret
-
grant_type
For example, a client's contact information is sent through https://support.oracle.com to Oracle Utilities:
- Name: Integration Team
- Email: IntegrationTeam@utilityX.com
- Utility Access: UtilityX
The client receives Oracle Utilities information through a secure email:
-
client_id: 019ebf3c-bc9c-41fa-87aa-09b1ecc86012
-
client_secret: bdf46a70-c553-44bd-846e-7bd4f9d98690
grant_type: client_credentials
It is recommend that you retain all information provided to
obtain credentials as it is required in the case of a
forgotten client_id
.
Securing your Credentials and Requesting New Credentials
Keys can be used to access utility customer data, so they must be protected and stored securely. Keys must have limited distribution, they should not be shared among developers, and they must only be used by authorized utility personnel. Do not use keys or tokens directly in a browser or mobile application. To make data from Oracle Utilities GraphQL APIs available to customers, you must create a server-side API gateway to accept customer requests for data using their session token. Your server-side API gateway must then make a request to the Oracle Utilities GraphQL APIs using your utility's OAuth token.
If you suspect that a key has been compromised or its security can no longer be assured, contact Oracle Utilities using https://support.oracle.com with the client_id
. A new client_secret
is issued.
If credentials are forgotten, you can request new credentials
from Oracle Utilities. If the client_secret
is
forgotten, you must send a communication using https://support.oracle.com
with your client_id
. Oracle Utilities will issue
a new client_secret
. If
the client_id
is forgotten, you must send a
communication using https://support.oracle.com
with the information provided when first obtaining
credentials, and Oracle Utilities issues a new
client_id
and client_secret
.
Obtaining a Utility-Scoped Access Token
Before calling other API endpoints for a given tier, a client
must obtain a utility-scoped access token from the authorization-v1
endpoint (authorization-v1/oauth2/token
) using the
issued client credentials.
To obtain a client access token:
-
Use a curl command to request the utility-scoped access token. If you choose to use a different method for this type of request, be aware that the
-u
option below performs Base64 encoding on theclient_id:client_secret
value. The syntax of this command is as follows:curl -XPOST host:port/apis/authorization-v1/oauth2/token -d "grant_type=client_credentials" -u "client_id:client_secret" -H "Content-Type: application/x-www-form-urlencoded"
You must replace
host
,port
,client_id
, andclient_secret
with the applicable values.An example response is provided below:
{ "client_id":"019ebf3c-bc9c-41fa-87aa-09b1ece86012", "access_token":"a3b96ccb-cff0-4c12-b693-40e7158aa8cd", "token_type":"BEARER", "scope":"", "expires_in":3599 }
The
expires_in
parameter is expressed in seconds. - After retrieving the utility-scoped access token, you can provide the utility-scoped access token as part of your GraphQL queries, which is described in Using the GraphiQL IDE and Using Curl. If the utility-scoped access token expires, repeat the process to obtain a valid access token.
Constructing the Base URL
A GraphiQL Integrated Development Environment (IDE) provides access for you to explore the schema and run queries using utility-scoped access tokens. You can access the IDE using the following URL structure:
-
Stage Environment:
https://api-stage.us.opower.com/graphql
This environment is intended for API call and feature testing.
-
Production Environment:
https://api.us.opower.com/graphql
This environment is intended to be used for updates or retrievals from your production system that directly supports your customers.