Using Claris ID for external authentication

If you want to use the FileMaker Data API, FileMaker Admin API, or OData API with FileMaker Cloud, you must authenticate using your Claris ID account (not an external IdP account). FileMaker Cloud uses Amazon Cognito for external authentication.

Amazon Cognito manages users through user pools, which provide services such as sign-in, authentication with identity providers, user directory and profile management, and security monitoring. (See Amazon Cognito User Pools.)

To authenticate using Claris ID:

1. Retrieve values for the UserPoolId and ClientId parameters.

   Amazon Cognito requires a UserPoolId and a ClientId to authenticate users. FileMaker Cloud provides the following endpoint:

   https://www.ifmcloud.com/endpoint/userpool/2.2.0.my.claris.com.json

   The endpoint returns the following results:

   {
       "errcode":"Ok",
       "errmessage":null,
       "data":{
           "Region": "us-west-2",
           "UserPool_ID":"us-west-2_NqkuZcXQY",
           "Client_ID":"4l9rvl4mv5es1eep1qe97cautn",
           "API_Host": "api-cp-global.ifmcloud.com/2-2",
           "FCC_Host": "console.claris.com"
       },
       "csrid":null
   }

   Note  The returned Region and API_Host values are not used for authentication.

2. Use the Amazon Cognito Identity SDK for JavaScript to authenticate a user through Amazon Cognito. (See Amazon Cognito Identity SDK for JavaScript.) Use the example below in your JavaScript code to retrieve values for the Claris ID token (Claris_ID_token) and the Claris ID refresh token (Claris_ID_refresh_token).

   The Claris ID token is used for authentication when you use the FileMaker Data API, FileMaker Admin API, or OData API, and is valid for one hour. The Claris ID refresh token allows scripts to continue running after the Claris ID token expires, and is valid for one year.

Notes 

• To use FileMaker API calls with FileMaker Cloud, you must first authenticate using your Claris ID account and retrieve required session tokens. The tokens are valid for one hour. If it has been more than an hour since the last Claris ID authentication, API calls may fail with a 401 error. To resolve the issue, authenticate again using the Claris ID account and retrieve new session tokens.

Example

In this example:

• the UserPool_ID and Client_ID values from above are used

• for username and password, enter the Claris ID user name and password

• the four lines starting with mfaRequired are needed only when multi-factor authentication (MFA) is enabled for Claris ID

• the code is drawn from examples provided by Amazon (See Accessing Your User Pools using the Amazon Cognito Identity SDK for JavaScript.)

Example code:

var authenticationData = {
    Username : 'username',
    Password : 'password',
};
var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails(authenticationData);
var poolData = {
    UserPoolId : 'us-west-2_NqkuZcXQY',
    ClientId : '4l9rvl4mv5es1eep1qe97cautn'
};
var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);
var userData = {
    Username : 'username',
    Pool : userPool
};
var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
        var Cognito_access_token = result.getAccessToken().getJwtToken();
        var Claris_ID_token = result.idToken.jwtToken;
        var Claris_ID_refresh_token = result.refreshToken.token;
    },
    onFailure: function(err) {
        alert(err);
    },
    mfaRequired: function(codeDeliveryDetails) {
        var verificationCode = prompt('Please input verification code' ,'');
        cognitoUser.sendMFACode(verificationCode, this);
    }
});