Skip to main content

OIDC API Authentication

Equinix APIs use OAuth 2.0 protocol to authenticate the requests of your OIDC user to API endpoints. In order to interact with Equinix APIs, you need a bearer access token.

Prerequisites

  1. An OIDC provider.

  2. An OIDC ID token from your registered OIDC provider.

  3. Product or service-specific permissions to specify the scope of the API access token. You need either:

    • ern:<access-policy-ern> where <access-policy-ern> is a single access policy that has been granted to the principal.
    • roleassignments:<org-id> where <org-id> is the organization ID where the OIDC principal has assigned roles.
    • projectpolicies:<project-id> where <project-id> is a project ID where the OIDC principal has been granted an access policy or access policies.
    • orgpolicies:<org-id> where <org-id> is an organization ID where the principal has been granted an access policy or access policies.
    • orgpolicies:<org-id> roleassignments:<org-id> where <org-id> is an organization ID where the principal has been granted both roles and access policies.

    For more information, see Access Control Scopes.

Requesting an Access Token

To request a bearer access token, send a POST request to the /v1/token endpoint.

In the body of the request specify:

  • grant_type - Use urn:ietf:params:oauth:grant-type:token-exchange to receive an access token.
  • scope (required) - Provide the scope. The permissions granted by the token are checked against whether the principal has been granted the appropriate roles or access policies. For more information, see Access Control Scopes.
  • subject_token - The OIDC ID token.
  • subject_token_type - Use urn:ietf:params:oauth:token-type:id_token which identifies your subject_token as an OIDC ID token.

Sample cURL Request:

curl -X POST 'https://sts.eqix.equinix.com/v1/token' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
--data-urlencode 'scope=<role_or_access_policy>' \
--data-urlencode 'subject_token=<oidc_id_token>'

Using Access Tokens

To interact with Equinix API, send your access token in the Authorization header of the HTTP request with Authorization: Bearer <token>.

Was this page helpful?