## Carbonite Authentication Instructions

Users must obtain a JWT access token to access the LBM Public API.

Authentication happens by making a POST request to our token endpoints using Basic Authentication and an OAuth2 client
credentials flow

| Environment | URL |
|  --- | --- |
| Stag | https://293-app-prod-carbonite-sso-staging.azurewebsites.net/common/oauth2/v1.0/token |
| Prod | https://sso.strongtietech.com/common/oauth2/v1.0/token |


The example `curl` command below demonstrates obtaining an access:


```bash
curl --location 'https://293-app-prod-carbonite-sso-staging.azurewebsites.net/common/oauth2/v1.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic dGVzdDp0ZXN0' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=LBMPublicAPI.Customer.<TENANT>' \
--data-urlencode 'aud=pipeline_lbm_public_api'
```

The Basic Authorization header value is the base64 encoded ClientId and Client Secret which is given to the user:


```bash
$string = "clientId:clientSecret"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($string)
$base64 = [Convert]::ToBase64String($bytes)
Write-Output $base64
```

The scope `LBMPublicAPI.Customer.<TENANT>` should be included in the request to scope the JWT token to the Pipeline LBM
Tenant that the customer has access to. The `<TENANT>` value comes from the URLof the Pipeline LBM site, e.g. for the URL
`https://lb.pipelinebt.app/lbmsales` , the tenant is `lbmsales` and the full scope should be: `LBMPublicAPI.Customer.lbmsales`

A user cannot receive a token nor access an LBM Tenant that is not included in the Carbonite app registration.

When successful, the user should receive a JSON response that includes a Bearer JWT within the “access_token” property:


```json
{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 86399
}
```

The bearer token is then included within the Authorization Header of requests made to the Public API, and the `<TENANT>` value
also must be included in an `X-Customer` header:


```bash
curl --location 'https://293-app-prod-pipeline-public-api.azurewebsites.net/api/v1/jobs' \
--header 'X-Customer: lbmsales' \
--header 'Authorization: Bearer eyJ...'
```