Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
docs:2500_config_apps:setting_up_oauth_protection [2026/07/07 08:13] aware_admindocs:2500_config_apps:setting_up_oauth_protection [2026/07/07 08:55] (current) aware_admin
Line 44: Line 44:
  
 ==== Scopes ==== ==== Scopes ====
-1. Client must specify scope(s) in the authorization request. Requested scopes are separated by a space symbol (&scope=scope1%20scope2) +  - Clients must specify scope(s) in the authorization request. Requested scopes are separated by a space symbol (&scope=scope1%20scope2) 
-2. All requested scopes must be registered for the client. If no scopes are requested in the call, registered scopes are used. +  All requested scopes must be registered for the client. If no scopes are requested in the call, registered scopes are used. 
-3. The category of the called service must match one the approved scopes (approved by the end user) +  The category of the called service must match one the approved scopes (approved by the end user) 
-4. Example of a valid service category: +  Example of a valid service category: 
 BSPrefix_scope1_scope2_scope3  BSPrefix_scope1_scope2_scope3 
 (provided that scope3 is not "general") (provided that scope3 is not "general")
  
-CLIENT CREDENTIALS FLOW: +==== Client Credentials Flow ==== 
-The above describes “authorization” work flow. To use “client credentials workflow do the following: + 
-In this flow you just need to call the AccessTokenService with a particular grant type. So you don'need to call the authorization service as the first step. +The instructions above are for the “authorization” workflow. To use “client credentials workflowdo the following: 
-The first step should be calling AccessTokenService but instead of the authorization_code grant type you specify client_credentials grant type:+  In this flow the client just needs to call the AccessTokenService with a particular grant type. The client does not need to call the authorization service as the first step. 
 +  The first step should be calling AccessTokenService but instead of the authorization_code grant type you specify client_credentials grant type:
 instead of this: instead of this:
-http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=authorization_code&code=...&client_id=...&client_secret=...&redirect_uri=... +<code>http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=authorization_code&code=...&client_id=...&client_secret=...&redirect_uri=...</code> 
-You specify this: +the client ashould call this: 
-http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=client_credentials&client_id=...&client_secret=... +<code>http://ServerName:ServerPort/CXF/services/oauth/token?grant_type=client_credentials&client_id=...&client_secret=...</code>
- +
-For this to work a special ClientCredentialsGrantHandler needs to be registered. Again in theory this can be done by modifying the file AwareIM/Tomcat/webapps/CXF/WEB-INF/awareim.xml. You need to add the following: +
-     <bean id="clientCredentialsGrantHandler" class="com.awaresoft.oauthcxf.services.AwareIMCCGrantHandler"> +
-         <property name="dataProvider" ref="oauthProvider"/> +
-     </bean> +
- +
-And then modify the following lines to add reference to the bean above (line in bold below): +
-     <bean id="accessTokenService" class="com.awaresoft.oauthcxf.services.AwareIMAccessTokenService"> +
-         <property name="dataProvider" ref="oauthProvider"/> +
-         <property name="grantHandlers"> +
-            <list> +
-             <ref bean="refreshGrantHandler"/> +
-             <ref bean=" clientCredentialsGrantHandler  "/> +
-            </list> +
-         </property> +
-     </bean> +
- +
-The rest is the same as for the Authorization flow. So the client registers as before and gets the client id and secret. Then he calls access token service as explained above with the same headers as for the Authorization flow. He will then get the access token in the same way as in the authorization flow (there is no refresh token!) +
-Then the client can call an Aware IM service using this access token in the same way it is done in the Authorization flow. +
  
 +==== Summary ====
  
 Your service documentation needs to convey to the callers of the service that before calling the service, they need to do the following: Your service documentation needs to convey to the callers of the service that before calling the service, they need to do the following: