Please review this page for details regarding the authentication and authorization implemented in the Enterprise API. When you're ready to start making calls from your client application, please click here to submit a request to get permissions granted.
If you are not ready to make calls yet, please check the API reference section where you are able test API calls directly from within the developer portal.
All requests made to Kiewit's Enterprise API require you to authenticate. The Enterprise APIs support only OAuth2.0 authentication. This allows the API to ensure that:
- You are making a call from a Kiewit AD tenant
- You are making a call using a token intended for the Enterprise API
- Your application can only do what it is authorized to do
The Enterprise API supports three types of OAuth2.0 grant flows:
- Client Credentials: application to application communication, without user context - cannot be used for sensitive data requests
- Authorization code: application communicating on behalf of a user, which includes user context
- Implicit: recommended for native apps where the access token is returned immediately without an extra authorization code exchange step
See above for example Postman requests for each grant type.
Kiewit tenant key values:
Metadata discovery URL: https://login.microsoftonline.com/07420c3d-c141-4c67-b6f3-f448e5adb67b/v2.0/.well-known/openid-configuration
Authorization URL: https://login.microsoftonline.com/07420c3d-c141-4c67-b6f3-f448e5adb67b/oauth2/v2.0/authorize
Token URL: https://login.microsoftonline.com/07420c3d-c141-4c67-b6f3-f448e5adb67b/oauth2/v2.0/token
Valid scopes per environment for client credentials:
Dev: 1fb73334-8760-4933-87ef-c059c0d4af38/.default
QA: 43aad91c-a5e6-409f-beb7-4ecba11962d7/.default
Prod: 0481883a-e41b-4c67-a9cd-4434f1bbea9c/.default
Sensitive data only (all environments): 57455b2c-f128-435a-966c-5acb9f741cf0/.default
The above app contains roles that are functional for all environments, similar to MS Graph API permissions.
Roles for customer APIs are also provisioned via this App ID.
Valid scopes per environment for auth code/implicit:
Dev: https://api-dev-scus-coreapi.ase-dev-scus-external.p.azurewebsites.net/user_impersonation
QA: https://api-qa-scus-coreapi.ase-qa-scus-external.p.azurewebsites.net/user_impersonation
Prod: https://api-prd-scus-coreapi.ase-prod01-scus-external.p.azurewebsites.net/user_impersonation
The Enterprise API implements scope-based security to protect sensitive and/or PII data. By default, an app will be able to read non-sensitive and non-PII data. The scopes/roles that are explicitly made available are:
User Impersonation (scope)
Read.NonSensitive (role) - via app IDs above
read.Sensitive.Role (role) - via 57455b2c-f128-435a-966c-5acb9f741cf0/.default
In Azure portal, navigate to 'API permissions' for your application
Assign permission read.Sensitive.Role from app 57455b2c-f128-435a-966c-5acb9f741cf0 as an Application permission.
Create Platform Operations ticket to give Admin Consent to the permission.
Powered by Azure API Management.