Development Guides

Basic Authentication

Purpose:  This article will walk you through best practices when using basic authentication to access the Orion API. This method is used for simple changes made by an API user or service account. The Orion token acquired can be used to call the Orion API and learn additional details about the user. This method is useful when you want to store a username and password to open a connection each day to run automated jobs, however ensure that the credentials are stored in a secure manner.

Simple Use Case: A Firm has a scheduled job using an API user to authenticate and call for a list of clients each day.

Scope and outputs:  Basic authentication is not recommended for SSO purposes or for regular changes and complex work via the API.  When making more complex updates, OAuth is the preferred method.  

NOTE: If you need to do an initial OAuth, requiring the user to authorize the use of their data, follow the process outlined in the Guide under Authorization titled OAuth.

Process Overview :

  1. Obtain Partner ID and Secret from Orion.
  2. Authenticate using Partner ID, Secret, Username and Password.
  3. Receive token for subsequent API calls.

Process Steps:

  1. Upon request and approval, Orion will provide a partner ID and Secret which must be passed in each authentication header.

2. Basic authentication requires three headers in the GET call:

  • A Basic authorization header with the userid:pwd base 64 encoded
  • Client_id
  • Client_secret

The URLs to get tokens using Basic authentication in  Test and Production are:

Stage: GET https://stagingapi.orionadvisor.com/api/v1/security/token
Prod: GET https://api.orionadvisor.com/api/v1/security/token

Sample Calls:

This call will return an access_token.
{“access_token”:“eyJhbGciOiJodHR….“,”expires_in”:36000.0}
HTTP REST Call to get access and refresh tokens with sample headers:
GET /api/v1/security/token
Authorization: Basic YxxxxxxrxxyIQ==
client_id: 9xxxd4
client_secret: adfjsss-xxxxxdjfa-xxxxxx

This call will return an access_token and a refresh_token.
{“access_token”:“eyJhbGciOiJodHR….“,”expires_in”:36000.0}
To use the access token returned by the /token endpoint in other API calls, add it in an Authorization in this format:
Authorization: Session <access_token>

How to use Refresh Token in headers:

curl –location –request POST ‘http://api.orionadvisor.local/api/v1/Security/Token‘ \
–header ‘Authorization: Bearer {{refresh_token}}’ \
–header ‘Accept: application/json’ \
–header ‘client_id: {{Client_Id}}’ \
–header ‘client_secret: {{Client_Secret}}’

How to use Refresh Token in body:

curl –location –request POST ‘http://api.orionadvisor.local/api/v1/Security/Token‘ \
–header ‘Authorization: Bearer {{refresh_token}}’ \
–header ‘Accept: application/json’ \
–header ‘client_id: {{Client_Id}}’ \
–header ‘client_secret: {{Client_Secret}}’