Authentication

There are 2 ways to authenticate with the Xsens Motion Cloud APIs:

  • As a user
    You generate a JWT token for each individual end-user, the users can login to the Xsens Motion Cloud itself as well.

  • As a service
    You generate a JWT token for a connection to Motion Cloud, you handle access control logic and user management yourself. The end user cannot login to Xsens Motion Cloud itself.

Authenticating as user

In order to authenticate as a user, you need to have a client_id that has been supplied by Xsens. The user needs to authenticate with Azure Active Directory B2C using an Authorization Code flow. This flow will ask the user for a username, password and handle 2FA (for more information, see https://docs.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow). After a succesfull authentication, the user will return to your application.

Example configuration values:

Tenant: xsensb2c
Client ID: 96c9fefd-ec65-44e8-b03e-3a5876338dd7
Redirect URI: http://localhost:1337

Tenant

The tenant is a fixed value

Client ID

The client ID is provided by Xsens, in this example we will be using a fake client id

Redirect URI

The redirect URI depends on your specific application. You can always use http://localhost:port. If you need another redirect URI, contact Xsens.

Step 1: Create a URL and show it to the user

Using the information provided above, we get the URL:

GET https://xsensb2c.b2clogin.com/xsensb2c.onmicrosoft.com/B2C_1A_signup_signin/oauth2/v2.0/authorize?
client_id=96c9fefd-ec65-44e8-b03e-3a5876338dd7
&response_type=code
&redirect_uri=http://localhost:1337
&response_mode=query
&code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
&code_challenge_method=S256
&scope=96c9fefd-ec65-44e8-b03e-3a5876338dd7%20offline_access

Note: code_challenge should be a Base64 encoded, SHA-256 hashed 43 character alphanumeric random string which is generated by you (see https://tools.ietf.org/html/rfc7636, chapter 4.1 & 4.2). This will be used again later when you acquire the access token.

The user should follow that URL, after which he will be redirected to the redirect_uri.

Step 2: Receive the authorization code

The login endpoint will redirect the user to http://localhost:1337/?code=eyJraW.... The code query parameter contains the authorization code we can use to request an access token on behalf of the user.

Step 3: Use the authorization code to receive an access token

The authorization code can now be used to get a JWT token for the user, receive it with:

curl --location --request POST 'https://xsensb2c.b2clogin.com/xsensb2c.onmicrosoft.com/B2C_1A_signup_signin/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=96c9fefd-ec65-44e8-b03e-3a5876338dd7' \
--data-urlencode 'scope=96c9fefd-ec65-44e8-b03e-3a5876338dd7 offline_access' \
--data-urlencode 'code=eyJra....' \
--data-urlencode 'redirect_uri=http://localhost:1337' \
--data-urlencode 'code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong'

This will return a JSON response, containing an access and refresh token:

{
  "access_token": "eyJ0eXAi...",
  "id_token": "eyJ0eXAi...",
  "token_type": "Bearer",
  "not_before": 1612439477,
  "expires_in": 3600,
  "expires_on": 1612443077,
  "resource": "96c9fefd-ec65-44e8-b03e-3a5876338dd7",
  "id_token_expires_in": 3600,
  "profile_info": "eyJ2ZX...",
  "scope": "/ offline_access openid",
  "refresh_token": "eyJraWQi...",
  "refresh_token_expires_in": 1209600
}

Authenticating as a service

As a service doesn't need to authenticate as a user, there is no username, password, 2FA etc. Services can use a client id and secret and generate tokens with it.

Example configuration values:

Tenant: xsensb2c
Client ID: 96c9fefd-ec65-44e8-b03e-3a5876338dd7
Client secret: HO3Zc.A20f2HTALC.-.DSodfijOaHMz4
Scope: https://xsensb2c.onmicrosoft.com/motion-cloud-api/.default

Tenant/Scope

The tenant and scope are fixed values.

Client ID & Secret

The client ID and secret are provided by Xsens, in this example we will be using a fake client id and secret.

Step 1: Receive an access token

curl -X POST 'https://login.microsoftonline.com/xsensb2c.onmicrosoft.com/oauth2/v2.0/token' \ 
  --header 'Content-Type: application/x-www-form-urlencoded' \ 
  --data-urlencode 'grant_type=client_credentials' \ 
  --data-urlencode 'client_id=96c9fefd-ec65-44e8-b03e-3a5876338dd7' \ 
  --data-urlencode 'client_secret=HO3Zc.A20f2HTALC.-.DSodfijOaHMz4' \ 
  --data-urlencode 'scope=https://xsensb2c.onmicrosoft.com/motion-cloud-api/.default'

This will return a JSON response containing an access token:

{
  "token_type": "Bearer",
  "expires_in": 3599,
  "ext_expires_in": 3599,
  "access_token": "eyJ0eX...."
}