Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| docs:2500_config_apps:setting_up_oauth_protection [2026/07/07 07:25] – created aware_admin | docs:2500_config_apps:setting_up_oauth_protection [2026/07/07 08:55] (current) – aware_admin | ||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ====== Setting Up Oauth Protection ====== | ====== Setting Up Oauth Protection ====== | ||
| - | If your application exposes at least one service (REST-ful or SOAP) that needs to be protected by the OAuth2.0 protocol, you need to do the following | + | If your application exposes at least one [[2000_add_edit_services|service]] (REST-ful or SOAP) that needs to be protected by the OAuth2.0 protocol, you need to deploy a special web application that will manage customers and issue access and refresh tokens. To deploy such an application, |
| + | |||
| + | - Go to the Edit menu of the Configuration Tool | ||
| + | - Select the entry with the name " | ||
| + | Note that the deployment of the dynamic feature should only be done once. | ||
| + | |||
| + | ===== Callers' | ||
| + | |||
| + | This section describes how a third party (client) should call an Aware IM service protected by OAuth. | ||
| + | - Before the client can call protected services, he must register himself with the OAUth server (this is done only once). To register, the client has to call this URL: | ||
| + | < | ||
| + | This should display a form where a client has to enter some mandatory and some optional values. The only value that requires explanation is “redirect URI”. This defines the URL that the OAuth server should call after creating an authorization token and returning to the client’s application, | ||
| + | - When the form is submitted a reply is returned with the unique client id and secret. Client should store these values and use them when calling services | ||
| + | - When calling a service to start a new authentication process the client has to go to this URL: | ||
| + | < | ||
| + | (redirect_uri is optional – if not specified, values registered for the client will be used) | ||
| + | (if a scope is a general scope, provide scope as BusinessSpaceName_general) | ||
| + | - The above URL call should return an “authorization code by calling the “redirect_uri” and supplying it with the " | ||
| + | < | ||
| + | - HTTP headers of the request should be: | ||
| + | - < | ||
| + | - < | ||
| + | |||
| + | - Access token is returned as JSON string that looks like this: | ||
| + | < | ||
| + | - The client should extract tokenKey and refreshToken (if he wants to refresh tokens). The client can then call Aware IM service with the provided token like so: | ||
| + | < | ||
| + | - The following HTTP headers must be provided with the call: | ||
| + | - < | ||
| + | - < | ||
| + | - < | ||
| + | |||
| + | ==== Refresh Tokens ==== | ||
| + | Refresh tokens are returned along with access token in a JSON string as part of the access token request: | ||
| + | < | ||
| + | A refresh token can then be exchanged for a new access token once the original access token expires with the following call (refresh token is specified in the " | ||
| + | < | ||
| + | |||
| + | The same reply as for the access token request should be received with the new access token and new refresh token. | ||
| + | |||
| + | ==== Scopes ==== | ||
| + | - Clients must specify scope(s) in the authorization request. Requested scopes are separated by a space symbol (& | ||
| + | - All requested scopes must be registered for the client. If no scopes are requested in the call, registered scopes are used. | ||
| + | - The category of the called service must match one the approved scopes (approved by the end user) | ||
| + | - Example of a valid service category: | ||
| + | BSPrefix_scope1_scope2_scope3 | ||
| + | (provided that scope3 is not " | ||
| + | |||
| + | ==== Client Credentials Flow ==== | ||
| + | |||
| + | The instructions above are for the “authorization” workflow. To use “client credentials workflow" | ||
| + | - In this flow the client just needs to call the AccessTokenService with a particular grant type. The client does not need to call the authorization service as the first step. | ||
| + | - The first step should be calling AccessTokenService but instead of the authorization_code grant type you specify client_credentials grant type: | ||
| + | instead of this: | ||
| + | < | ||
| + | the client ashould call this: | ||
| + | < | ||
| + | |||
| + | ==== Summary ==== | ||
| + | |||
| + | Your service documentation needs to convey to the callers of the service that before calling the service, they need to do the following: | ||
| + | - Obtain an access token | ||
| + | - include the access token in the Authorization Bearer HTTP header, for example (< | ||
| + | - The name of the business space must be in the HTTP header called AW-DOMAIN, for example < | ||
| + | - The name of the service to call must be in the header called AW-SERVICE for a REST-ful service (for example, < | ||
| {{simplenavi> | {{simplenavi> | ||