GoldenGate added Entra ID support for Identity Provider since V23.9.  The detail of how to configure Entra ID for GoldenGate can be found in Blog Create Authorization Profile with Azure Entra ID. This blog will show the readers how to obtain the access token from Entra ID and use it with Adminclient and RestAPI calls.

We will need the following information to request the access token from Entra ID.

  1. client_id: Client ID of your Application registered with Entra ID
  2. scope: Scope in the format of <client_id>/.default
  3. client_secret: Client Secret for this Client ID
  4. grant_type: client_credentials

The Entra ID RestAPI Endpoint for this request is, /{tenant-id}/oauth2/v2.0/token

The Host for this is, login.microsoftonline.com:443

The command type is POST

So here is an example of the request

% curl -X POST -H “Content-Type: application/x-www-form-urlencoded” -d ‘client_id=d6767f3c-xxxxxxx155db&scope=d6767f3c-xxxxxxxxc155db/.default&client_secret=_5b8Q~xxxxxxxxxzELbr6&grant_type=client_credentials’ ‘https://login.microsoftonline.com/5b743bc7xxxxxxxxxxxx0286/oauth2/v2.0/token’

The result will show

{“token_type”:”Bearer”,”expires_in”:3599,”ext_expires_in”:3599,”access_token”:”eyJ0eXAiOiJKV1QiLCJhbGxxxxxxxxxxfXMt79q_w”}                                                                   

The long string in the access_token field is the bearer token we need.  

More details on the Entra ID Access Token could be found in the Microsoft Azure reference

Once you get this token, you can use it in adminclient 

adminclient>add credentials my-token token “eyJ0eXAiOiJKV1QiLCJhbGxxxxxxxxxxfXMt79q_w”

This command above will create a token credential in your adminclient local environment.

adminclient>connect http://localhost:9012 as my-token

This command above will use that token credential to login to your GoldenGate deployment

Similarly, you can use the GoldenGate RestAPI endpoint by using this bearer token as authentication

%curl http://localhost:9012/services/v2/config/summary –header “Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGxxxxxxxxxxfXMt79q_w”

Or you can export the token to an environment variable

%export my_token=’eyJ0eXAiOiJKV1QiLCJhbGxxxxxxxxxxfXMt79q_w’

%curl http://localhost:9012/services/v2/config/summary –header “Authorization: Bearer $my_token”

For more details about GoldenGate RestAPI endpoint, please check the GoldenGate reference guide.

Alternatively, if you don’t want to use the original client_id and client secret to generate the token, you can create a new Application in Entra ID, say new_app.  If you grant this new_app access to your GG Application’s “urn:ogg:serviceToService” role, you can also use the client_id and client secret from this new_app to request the bearer token.  Then this token could be used to access your GG Deployment’s resource.