Integrate Trimble Identity sign-in with your apps
Trimble Identity uses OpenID Connect and OAuth 2.0 to authenticate users and verify their Identity.
Integrating an application with Trimble Identity requires registration of your application in Trimble Cloud Console and your authorization flow configuration.
Step 1 - set up your application:
You can see a detailed breakdown under our Getting Started Guide
Step 2 - configure an authentication workflow:
An access token is required to authorize applications to access Trimble Identity’s services. This access can be granted through authorization grant flows. There are many factors in what is the best grant flow to use to authorize an application. Below are some of the authorization grant flows we offer for Trimble Identity.
Not sure where to start with what grant flow? See the Choose Your Grant Flow section in this documentation.
Most grant flows can be summarized with this basic flow:
- Get an access token
- Validate the access token
- Use the access token to call APIs
Step 3 - obtain profile values (JWTs):
The access token obtained in Step 2 is converted from a Base64 URL into a JSON Web Token (JWT). The JWT that comes with the response contains three parts. These sections, separated by a ‘period’ and ‘base64’, once decoded form the following three sections:
- Signature Algorithm
- User Claims
- Signature
Example:
<base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>For details of JWT’s used and sample responses, please see JWT Definitions.
Step 4 - validate JWTs
When Trimble Identity returns an ID token to an application, the application must validate the signature to prove the token authenticity and confirm a few claims to verify its validity. Trimble Identity provides keys to allow clients to retrieve JSON Web Key Sets (JWKS), so clients can select an appropriate key for whatever JWTs are presented to them.
Please see JWT Validation for more detailed information.
JWT validation follows this basic flow:
- Retrieve the JSON Web Key Set
- Verifying the JWTs
- Match JWKs to verify JWTs
Grant types
Below are the currently used grant flows you can use with Trimble Identity.
If you are currently using an Implicit Grant flow, please use the Authorization Code with PKCE flow.
Choose your grant type for integration
Authorization Code
The authorization code grant is used when an application has users (Resource Owners) sitting at the keyboard. This grant flow is intended to be used by user-facing web applications with a server-side component.
Applications using Authorization Code without PKCE must have the Authorization Code Grant and Client Credentials grants enabled. Otherwise, PKCE is required.
Authorization code with PKCE
Authorization code with PKCE is very similar to the Authorization Code grant flow. This method was designed for desktop and mobile applications, but it can also be used in web applications.
It assumes the user is sitting at the keyboard, but the removes the need for the client secret to be held by the application.
Client credentials
In the Client Credentials flow, the client is assumed to be the resource owner, not acting on behalf of a user, and it uses a server to server communication. This flow is best for services accessing an application’s resources rather than resources owned by a user.
Implicit grant workflow
The Implicit Grant flow is not recommended for Trimble Identity. Please use the Authorization Code with PKCE in place of this grant flow.
On-Behalf/Token Exchange
On-Behalf/Token Exchange flow enables applications to exchange id_token/JWT for a self-contained access token. The on-behalf flow is best for when you are requesting information from a secondary app for resources.