Authenticating to the CREST API Using OIDC

This guide provides a step-by-step process for partners integrating with Higher Logic to authenticate via the Identity Server using OpenID Connect (OIDC) and make authorized requests to the CREST API.

Overview

Higher Logic's token authorization service supports OIDC for secure, standards-based authentication and authorization. Partners should use the authorization_code grant type with PKCE to obtain access tokens that allow authenticated requests to the CREST API.

1. Prerequisites

Before you begin, ensure:

You have a registered OIDC client in the Higher Logic Identity Server.
You know the tenant's primary domain (e.g., yourcommunity.connectedcommunity.org).
You have a valid client_id, allowed redirect_uri, and understand the required scopes.

2. OIDC Authorization Flow (PKCE)

Step 1: Build the Authorization Request

Make a GET request in a browser to:

https://[tenantHost]/higherlogic/external/oauth/connect/authorize

With the following query parameters:

response_type=code
client_id={your_client_id}
redirect_uri={your_redirect_uri}
scope=openid profile email webapi offline_access
state={your_random_state}
code_challenge={your_PKCE_code_challenge}
code_challenge_method=S256

This will redirect the user to the tenant's login page and then back to your redirect_uri with a code parameter.

Step 2: Token Request (Backend)

POST to:

https://[tenantHost]/higherlogic/external/oauth/connect/token

With Content-Type: application/x-www-form-urlencoded and the following form fields:

grant_type=authorization_code
client_id={your_client_id}
code_verifier={original_PKCE_code_verifier}
code={authorization_code}
redirect_uri={your_redirect_uri}

This will return:

access_token
id_token
refresh_token

3. Making Authorized API Requests

Use the access_token as a Bearer token in the Authorization header to authenticate to CREST.

Make sure to include /higherlogic/external/ as the first segments in the request URL path when addressing API endpoints

✅ Supported Endpoint (Token-Based Auth)

GET https://[tenantHost]/higherlogic/external/api/v2.0/Contacts/GetWhoAmI

Authorization: Bearer {access_token}

This will return the authenticated user's contact information.

⚠️ Not Supported with OIDC Tokens

GET https://[tenantHost]/api/v2.0/Contacts/GetWhoAmI

This endpoint expects a session or HLAuthToken and will return HTML or an error with a bearer token.

4. Refreshing Access Tokens

When the access token expires, use the refresh_token to get a new one:

POST to:

https://[tenantHost]/higherlogic/external/oauth/connect/token

With:

grant_type=refresh_token
client_id={your_client_id}
refresh_token={your_refresh_token}

5. Validating Tokens

Tokens are JWTs and should be validated using the tenant's .well-known/openid-configuration endpoint:

https://[tenantHost]/higherlogic/external/oauth/.well-known/openid-configuration

Use the jwks_uri to fetch signing keys.

6. Additional Notes

Always make CREST API calls from the tenant's primary domain.
Do not use HLAuthToken or HLIAMKey or HLPassword headers with OIDC.
Ensure your scopes include webapi to access CREST.

For help configuring or registering your OIDC client, contact Higher Logic Support.