Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:2500_config_apps:setting_up_oauth_protection [2026/07/07 08:00] – aware_admin | docs:2500_config_apps:setting_up_oauth_protection [2026/07/07 08:55] (current) – aware_admin | ||
|---|---|---|---|
| Line 31: | Line 31: | ||
| < | < | ||
| - The following HTTP headers must be provided with the call: | - The following HTTP headers must be provided with the call: | ||
| - | - Authorization=[Bearer accessToken] | + | - < |
| - | - AW_DOMAIN=Name of business space | + | - < |
| - | - AW_SERVICE=Name of Aware IM service | + | - < |
| - | REFRESH TOKENS: | + | ==== Refresh Tokens ==== |
| Refresh tokens are returned along with access token in a JSON string as part of the access token request: | Refresh tokens are returned along with access token in a JSON string as part of the access token request: | ||
| - | {" | + | < |
| - | A refresh token can then be exchanged for a new access token once the original access token expires with the following call (refresh token is specified in the refresh_token parameter): | + | A refresh token can then be exchanged for a new access token once the original access token expires with the following call (refresh token is specified in the "refresh_token" |
| - | http:// | + | < |
| - | Same reply as for the access token request should be received with the new access token and new refresh token. | + | |
| - | SCOPES: | + | The same reply as for the access token request should be received with the new access token and new refresh token. |
| - | 1. Client | + | |
| - | 2. All requested scopes must be registered for the client. If no scopes are requested in the call, registered scopes are used. | + | ==== Scopes ==== |
| - | 3. The category of the called service must match one the approved scopes (approved by the end user) | + | - Clients |
| - | 4. Example of a valid service category: | + | |
| + | | ||
| + | | ||
| BSPrefix_scope1_scope2_scope3 | BSPrefix_scope1_scope2_scope3 | ||
| (provided that scope3 is not " | (provided that scope3 is not " | ||
| - | CLIENT CREDENTIALS FLOW: | + | ==== Client Credentials Flow ==== |
| - | The above describes | + | |
| - | In this flow you just need to call the AccessTokenService with a particular grant type. So you don' | + | The instructions |
| - | The first step should be calling AccessTokenService but instead of the authorization_code grant type you specify client_credentials grant type: | + | |
| + | | ||
| instead of this: | instead of this: | ||
| - | http:// | + | < |
| - | You specify | + | the client ashould call this: |
| - | http:// | + | < |
| - | + | ||
| - | For this to work a special ClientCredentialsGrantHandler needs to be registered. Again in theory this can be done by modifying the file AwareIM/ | + | |
| - | <bean id=" | + | |
| - | < | + | |
| - | </ | + | |
| - | + | ||
| - | And then modify the following lines to add reference to the bean above (line in bold below): | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | </ | + | |
| - | </ | + | |
| - | </ | + | |
| - | + | ||
| - | The rest is the same as for the Authorization flow. So the client registers as before and gets the client id and secret. Then he calls access token service as explained above with the same headers as for the Authorization flow. He will then get the access token in the same way as in the authorization flow (there is no refresh token!) | + | |
| - | Then the client can call an Aware IM service using this access token in the same way it is done in the Authorization flow. | + | |
| + | ==== Summary ==== | ||
| Your service documentation needs to convey to the callers of the service that before calling the service, they need to do the following: | Your service documentation needs to convey to the callers of the service that before calling the service, they need to do the following: | ||