Transition from Geosecure to ACM

Introduction

During the transition there are 2 major work blocks: changing the authentication and switching to the renewed GIPOD API.

The renewed GIPOD API ( gipod.api.vlaanderen.be ) will work with both Geosecure and ACM authentication, but the existing GIPOD API ( private-api.gipod.vlaanderen.be ) will only work with Geosecure authentication.

Therefore we recommend switching to the renewed API & changing the authentication in one go.

TL;DR for CCG with JWK

Beta

Production

Validate in Beheerportaal T&I that your existing client was successfully migrated to ACM, and remember the new client id.
Adapt oauth access token request information and update oauth URLs from beta.oauth.vlaanderen.be/... to authenticatie-ti.vlaanderen.be/... using the client id from step 1.
Update GIPOD API endpoint from private-api.gipod.beta-vlaanderen.be to gipod.api.beta-vlaanderen.be
Validate that your existing client works with the new endpoints and authentication mechanism

Validate in Beheerportaal that your existing client was successfully migrated to ACM, and remember the new client id.
Adapt oauth access token request information and update oauth URLs from oauth.vlaanderen.be/... to authenticatie.vlaanderen.be/... using the client id from step 1.
Update GIPOD API endpoint from private-api.gipod.vlaanderen.be to gipod.api.vlaanderen.be
Validate that your existing client works with the new endpoints and authentication mechanism

Set up clients in ACM

The current Geosecure clients are being phased out.

While various integration scenarios are possible in Geosecure, only Client Credential Grant Clients with a JWK are accepted in ACM.

Digital Flanders prepares the transition from Geosecure clients to ACM clients as much as possible. How far this goes depends on the current integration setup:

Client Credential Grant-Client (with JWK) at Geosecure => Digital Flanders creates a Client Credential Grant-Client at ACM, the JWK is adopted.
Client Credential Grant-Client (with secret) at Geosecure => Digital Flanders creates a Client Credential Grant-Client at ACM, you will have to create a JWK yourself.
B2B Authorization Code Grant-Client at Geosecure => you switch to 1 or more Client Credential Grant-Client(s) at ACM (1:n relationship, one per customer for which you act as a service provider), each with a JWK. The clients will not be automatically created by Digital Flanders via the bulk migration.

More information about moving from Geosecure clients to ACM clients: https://vlaamseoverheid.atlassian.net/wiki/display/GAEP/Scenario%2527s%2Bvoor%2Boverschakeling%2Bvan%2Bde%2BAPI-clients

More information about managing Client Credential Grant clients in ACM: https://vlaamseoverheid.atlassian.net/wiki/display/GAEP/Module%2BOAuth%2BClient%2BCredentials%2BGrant%253A%2BAPI-Client%2Bbeheren

Authenticate on the GIPOD API with an ACM token

GIPOD uses ACM for the authentication and authorization of users. Digital Flanders offers a web application in which users can carry out the complete flow of GIPOD. Digital Flanders also provides services for integrating GIPOD into your own software systems.

Authentication on the GIPOD API is done with an ACM token:

To connect to the GIPOD API you need a signed JWT token. To do this, work with a Client credentials grant .

More information about server-server authentication can be found here and about creating a signed JWT token here .

Adjustments of the GIPOD API endpoint

The renewed GIPOD API endpoint ( https://gipod.api.vlaanderen.be ) will work with both Geosecure and ACM authentication, but the existing GIPOD API endpoint ( https://private-api.gipod.vlaanderen.be ) will only work with Geosecure authentication.

Both API endpoints are functionally identical, apart from the authentication, as both are a gateway to the same GIPOD services.

Guides

Questions about converting Geosecure clients to ACM clients: uitfaseringgeosecure@vlaanderen.be
Questions about managing ACM clients: integraties@vlaanderen.be 
Questions about the GIPOD API: digitaal.vlaanderen@vlaanderen.be