3.1 Communication Flow for Connecting to the REST APIs

This page describes the communication flow for accessing the Thredd REST APIs. There are two main areas in which you will need to set up your connection:

  1. Thredd Certificate Authority (CA) dashboard. Log in to Thredd CA and create Transport and Signing Certificates. See Creating Client Application Certificates for REST APIs.
  2. A REST tool. Configure your REST tool interface, for example Postman, to interact with Thredd CA and Cloudentity, so that you can access the API endpoints.

3.1.1 Individual Steps and Details

The following are the steps in the communication flow, where some are performed in Postman while others are done on Thredd Certificate Authority. The Thredd CA interface and Postman are both referred to here as a Data Consumer, where they are a customer of Thredd.

Figure 5: Individual Steps on Client Interactions with Thredd CA and Cloudentity

  1. Postman: Gets Well Known endpoint from Cloudentity, which the client later uses to perform Dynamic Client Registration (DCR). A Well Known authorization server metadata endpoint provides a standardised way for clients to discover the necessary information to interact with an OAuth 2.0 or OpenID Connect server. You will need to set up the Get Well Known endpoint in Postman.
  2. Postman: Gets Well Known Details endpoint which the client later uses to perform Dynamic Client Registration (DCR) from Thredd Certificate Authority. You will need to set this up in Postman.
  3. Thredd Certificate Authority: Creates an Application on Thredd Certificate Authority.
  4. Thredd Certificate Authority: Downloads the Transport Certificate from the user interface. You first create the Certificate Signing Request (CSR) and the Private Key, which Thredd CA then uses to generate the Transport Certificate. More details on the steps for generating a certificate are described in Creating OAuth 2.0 Client Application REST Transport Certificates.
  5. Postman: Sets up a Transport Certificate on Postman that was created in Thredd Certificate Authority. The Transport Certificate is used to connect to the APIs.
  6. Postman: Gets an access token from Thredd CA(Postman).
  7. Postman and Thredd Certificate Authority: Get the Software Statement Assertion (SSA) from Thredd Certificate Authority. An SSA is a JSON web token for identity validation that is needed for Dynamic Client Registration. You will need to have created the SSA; see Generating and Obtaining an SSA.
  8. Postman: Perform Dynamic Client Registration (DCR) by registering the OAuth Client on Cloudentity.

About DCR

DCR is a protocol that allows OAuth 2.0 and OpenID Connect clients (or client applications) to automatically register with an Authorisation Server, in this case Cloudentity. This is the final step that is required before accessing the REST APIs. The following RFCs contain the definition of DCR: RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol and the RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol.

Using Postman

For detailed steps on accessing the REST APIs through Postman, refer to the Cards API Website: Using Postman.