CycleService Request Behavior
CycleService reads the following headers:
Request Headers
| Header | Description |
|---|---|
| ClientNumber | OIPA client number used for authentication. |
| PersonalId | User personal identifier used for authentication. |
Authentication Flow
-
CycleService reads the ClientNumber and PersonalId request headers.
-
When Native SSO is enabled and a valid OIPA user exists, CycleService uses ClientNumber and PersonalId to perform the OIDC password grant.
-
The implementation validates the returned access token by using jwks_uri.
-
The implementation checks token expiration by using the exp claim.
-
The implementation then checks OIPA authorization for SubmitTask / CycleService.
-
When Native SSO is disabled, CycleService falls back to local password verification.
Important CycleService IdP Requirement
Like PASService, CycleService uses the OIDC password grant. The IdP client must allow the password grant type.
