If your application exposes at least one service (REST-ful or SOAP) that needs to be protected by the OAuth2.0 protocol, you need to deploy a special web application that will manage customers and issue access and refresh tokens. To deploy such an application, you will need to do the following:
Note that the deployment of the dynamic feature should only be done once.
This section describes how a third party (client) should call an Aware IM service protected by OAuth.
http(s)://ServerName:ServerPort/CXF/forms/registerClient.jsp
This should display a form where a client has to enter some mandatory and some optional values. The only value that requires explanation is “redirect URI”. This defines the URL that the OAuth server should call after creating an authorization token and returning to the client’s application, for example
http://ClientServerName/SomePath
http(s)://ServerName:ServerPort/CXF/services/oauth/authorize?client_id=...&response_type=code&redirect_uri=...&scope=...
(redirect_uri is optional – if not specified, values registered for the client will be used) (if a scope is a general scope, provide scope as BusinessSpaceName_general)
http(s)://ServerName:ServerPort/CXF/services/oauth/token?grant_type=authorization_code&code=...&client_id=...&client_secret=...&redirect_uri=...
Accept: application/json"
Content-Type: application/x-www-form-urlencoded
{"tokenKey":"...","tokenType:"Bearer","refreshToken":...,"expiresIn":3600,"issuedAt":-1,"issuer":null,"encedToken":null,"parameters":{}, "approvedScope":"general"}
http://ServerName:ServerPort/CXF/services/serviceCall/api?serviceParameters
Authorization=[Bearer accessToken]
AW_DOMAIN=Name of business space
AW_SERVICE=Name of Aware IM service
Refresh tokens are returned along with access token in a JSON string as part of the access token request:
{"tokenKey":"...","tokenType:"Bearer","refreshToken":...,"expiresIn":3600,"issuedAt":-1,"issuer":null,"encedToken":null,"parameters":
A refresh token can then be exchanged for a new access token once the original access token expires with the following call (refresh token is specified in the “refresh_token” parameter
http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=refresh_token&refresh_token=...&client_id=...&client_secret=...&redirect_uri=...
The same reply as for the access token request should be received with the new access token and new refresh token.
BSPrefix_scope1_scope2_scope3 (provided that scope3 is not “general”)
The instructions above are for the “authorization” workflow. To use “client credentials workflow“ do the following:
instead of this:
http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=authorization_code&code=...&client_id=...&client_secret=...&redirect_uri=...
the client ashould call this:
http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=client_credentials&client_id=...&client_secret=...
Your service documentation needs to convey to the callers of the service that before calling the service, they need to do the following:
Authorization: Bearer <access token>
).
AW-DOMAIN:CRM
AW-SERVICE: AddCustomer
) and AW-SERVICE-SOAP for a SOAP service - for example
AW-SERVICE-SOAP: AddCustomer
.