Are IBM Watson IAM tokens good for all services or specific to each service, e.g., Speech-to-Text?

Question

IBM's documentation says that the following Node back end code enables you to Use the API key to have the SDK manage the lifecycle of the token. The SDK requests an access token, ensures that the access token is valid, and refreshes it if necessary.

const SpeechToTextV1 = require('ibm-watson/speech-to-text/v1');
const { IamAuthenticator } = require('ibm-watson/auth');

const speechToText = new SpeechToTextV1({
  authenticator: new IamAuthenticator({
    apikey: '{apikey}',
  }),
  url: '{url}',
});

How do I get the token from speechToText to pass to my front end Angular app running in the browser? I tried calling the method getToken to get the token:

const SpeechToTextV1 = require('ibm-watson/speech-to-text/v1');
const { IamAuthenticator } = require('ibm-watson/auth');

const speechToText = new SpeechToTextV1({
    authenticator: new IamAuthenticator({
      apikey: 'my-api-key',
    }),
    url: 'my-url',
  });

speechToText.getToken(function (err, token) {
    if (!token) {
      console.log('error: ', err);
    } else {
      console.log(token);
      // do more stuff with the token
    }
});

That didn't work. The error message is speechToText.getToken is not a function. Should I try speechToText.authenticator.getToken?

I tried getting the token from ibm-watson/sdk instead of from ibm-watson/speech-to-text/v1?

const watson = require('ibm-watson/sdk');
const { IamAuthenticator } = require('ibm-watson/auth');

const authorization = new watson.AuthorizationV1({
  authenticator: new IamAuthenticator({ apikey: 'my-api-key' }),
  url: 'my-url'
});

authorization.getToken(function (err, token) {
    if (!token) {
      console.log('error: ', err);
    } else {
      console.log(token);
      // do stuff with token
    }
});

That gets a smokin' new token. But the token doesn't work. When I run WatsonSpeech.SpeechToText.recognizeMicrophone I get an error message HTTP Authentication failed; no valid credentials available.

It appears that each IBM Watson service needs its own token, created with a service-specific URL. I put the Speech-to-Text URL into ibm-watson/sdk so I should get the right token. I don't see why the token isn't working.

Answer 1

Take a look at the supplying credentials section of the README in the Node SDK about managing the token yourself if that's what you want to do:

Use the BearerTokenAuthenticator if you want to manage the lifecycle yourself. For details, see Authenticating to Watson services. If you want to switch your authenticator, you must override the authenticator property directly.

There's a link from that "Authenticating" topic that might help you understand the access process. See Invoking IBM Cloud service APIs

Answer 2

IBM Cloud uses what it calls Identity and Access Management (IAM) to manage access to resources. IAM has several concepts which allow for fine-grained security control. You can grant scoped access privileges to users or roles. Thus, one user may be manager for a resource, another user only reader.

Now, to access a service like the IAM-controlled Watson services, your username / password or API key is turned into a Bearer and a Refresh token, the Bearer token is only valid for a certain time and then needs a fresh Refresh token. This could be a reason why you see different tokens.

You may have seen the underlying core Node.js SDK which has background information on Authentication and some functions.

Long story short: When you have successfully created the IamAuthenticator, you should be able to request the token and use it. Even better, you can pass the IamAuthenticator to many services, including the Watson services, to initialize a session. The code "knows" how to obtain the authentication information and use it to authenticate for the other service.