@@ -7,7 +7,8 @@ The java-sdk-core project supports the following types of authentication:
77- Container Authentication
88- VPC Instance Authentication
99- Cloud Pak for Data Authentication
10- - Multi-Cloud Saas Platform (MCSP) Authentication
10+ - Multi-Cloud Saas Platform (MCSP) V1 Authentication
11+ - Multi-Cloud Saas Platform (MCSP) V2 Authentication
1112- No Authentication (for testing)
1213
1314The SDK user configures the appropriate type of authentication for use with service instances.
@@ -575,11 +576,11 @@ ExampleService service = ExampleService.newInstance("example_service");
575576```
576577
577578
578- ## Multi-Cloud Saas Platform (MCSP) Authentication
579+ ## Multi-Cloud Saas Platform (MCSP) V1 Authentication
579580The ` MCSPAuthenticator ` can be used in scenarios where an application needs to
580581interact with an IBM Cloud service that has been deployed to a non-IBM Cloud environment (e.g. AWS).
581- It accepts a user-supplied apikey and performs the necessary interactions with the
582- Multi-Cloud Saas Platform token service to obtain a suitable MCSP access token (a bearer token)
582+ It accepts a user-supplied apikey and invokes the Multi-Cloud Saas Platform token service's
583+ ` POST /siusermgr/api/1.0/apikeys/ token` operation to obtain a suitable MCSP access token (a bearer token)
583584for the specified apikey.
584585The authenticator will also obtain a new bearer token when the current token expires.
585586The bearer token is then added to each outbound request in the ` Authorization ` header in the
@@ -643,6 +644,107 @@ ExampleService service = ExampleService.newInstance("example_service");
643644```
644645
645646
647+ ## Multi-Cloud Saas Platform (MCSP) V2 Authentication
648+ The ` MCSPV2Authenticator ` can be used in scenarios where an application needs to
649+ interact with an IBM Cloud service that has been deployed to a non-IBM Cloud environment (e.g. AWS).
650+ It accepts a user-supplied apikey and invokes the Multi-Cloud Saas Platform token service's
651+ ` POST /api/2.0/{scopeCollectionType}/{scopeId}/apikeys/token ` operation to obtain a suitable MCSP access token (a bearer token)
652+ for the specified apikey.
653+ The authenticator will also obtain a new bearer token when the current token expires.
654+ The bearer token is then added to each outbound request in the ` Authorization ` header in the
655+ form:
656+ ```
657+ Authorization: Bearer <bearer-token>
658+ ```
659+
660+ ### Properties
661+
662+ - apikey: (required) the apikey to be used to obtain an MCSP access token.
663+
664+ - url: (required) The URL representing the MCSP token service endpoint's base URL string. Do not include the
665+ operation path (e.g. ` /siusermgr/api/1.0/apikeys/token ` ) as part of this property's value.
666+
667+ - scopeCollectionType: (required) The scope collection type of item(s).
668+ The valid values are: ` accounts ` , ` subscriptions ` , ` services ` .
669+
670+ - scopeId: (required) The scope identifier of item(s).
671+
672+ - includeBuiltinActions: (optional) A flag to include builtin actions in the ` actions ` claim in the MCSP token (default: false).
673+
674+ - includeCustomActions: (optional) A flag to include custom actions in the ` actions ` claim in the MCSP token (default: false).
675+
676+ - includeRoles: (optional) A flag to include the ` roles ` claim in the MCSP token (default: true).
677+
678+ - prefixRoles: (optional) A flag to add a prefix with the scope level where
679+ the role is defined in the ` roles ` claim (default: false).
680+
681+ - callerExtClaim: (optional) A map containing keys and values to be injected into the returned access token
682+ as the ` callerExt ` claim. The keys used in this map must be enabled in the apikey by setting the
683+ ` callerExtClaimNames ` property when the apikey is created.
684+ This property is typically only used in scenarios involving an apikey with identityType ` SERVICEID ` .
685+
686+ - disableSSLVerification: (optional) A flag that indicates whether verification of the server's SSL
687+ certificate should be disabled or not. The default value is ` false ` .
688+
689+ - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
690+ made to the MCSP token service.
691+
692+ ### Usage Notes
693+ - When constructing an MCSPV2Authenticator instance, the apikey, url, scopeCollectionType, and scopeId properties are required.
694+
695+ - If you specify the callerExtClaim map, the keys used in the map must have been previously enabled in the apikey
696+ by setting the ` callerExtClaimNames ` property when you created the apikey.
697+ The entries contained in this map will appear in the ` callerExt ` field (claim) of the returned access token.
698+
699+ - The authenticator will invoke the token server's ` POST /api/2.0/{scopeCollectionType}/{scopeId}/apikeys/token ` operation to
700+ exchange the apikey for an MCSP access token (the bearer token).
701+
702+ ### Programming example
703+ ``` java
704+ import com.ibm.cloud.sdk.core.security.MCSPV2Authenticator ;
705+ import <sdk_base_package>.ExampleService.v1.ExampleService ;
706+ ...
707+ Map<String , String > callerExtClaim = Map . of(" productID" " prod-123"
708+
709+ // Create the authenticator.
710+ MCSPV2Authenticator authenticator = new MCSPV2Authenticator .Builder ()
711+ .apikey(" myapikey"
712+ .url(" https://example.mcspv2.token-exchange.com"
713+ .scopeCollectionType(" accounts"
714+ .scopeId(" 20250519-2128-3755-60b3-103e01c509e8"
715+ .includeBuiltinActions(true )
716+ .callerExtClaim(callerExtClaim)
717+ .build();
718+
719+ // Create the service instance.
720+ ExampleService service = new ExampleService (ExampleService . DEFAULT_SERVICE_NAME
721+
722+ // 'service' can now be used to invoke operations.
723+ ```
724+
725+ ### Configuration example
726+ External configuration:
727+ ```
728+ export EXAMPLE_SERVICE_AUTH_TYPE=mcspv2
729+ export EXAMPLE_SERVICE_APIKEY=myapikey
730+ export EXAMPLE_SERVICE_AUTH_URL=https://example.mcspv2.token-exchange.com
731+ export EXAMPLE_SERVICE_SCOPE_COLLECTION_TYPE=accounts
732+ export EXAMPLE_SERVICE_SCOPE_ID=20250519-2128-3755-60b3-103e01c509e8
733+ export EXAMPLE_SERVICE_INCLUDE_BUILTIN_ACTIONS=true
734+ export EXAMPLE_SERVICE_CALLER_EXT_CLAIM={"productID":"prod-123"}
735+ ```
736+ Application code:
737+ ``` java
738+ import <sdk_base_package>.ExampleService.v1.ExampleService ;
739+ ...
740+
741+ // Create the service instance.
742+ ExampleService service = ExampleService . newInstance(" example_service"
743+
744+ // 'service' can now be used to invoke operations.
745+ ```
746+
747+
646748## No Auth Authentication
647749The ` NoAuthAuthenticator ` is a placeholder authenticator which performs no actual authentication function.
648750It can be used in situations where authentication needs to be bypassed, perhaps while developing
0 commit comments