Allow third-party applications access to data via the OAuth2 protocol

Connections v5 supports the OAuth 2.0 protocol. Third-party consumer applications can use combination OAuth and the Connections API to access Connections user data, including photographs, personal profile information, etc...

The CNX administrator creates a list of registered consumer applications. When users open the consumer application they are prompted to give or deny the application permission to access the user's Connections data. Permission is granted by a token which expires in six months if not renewed by the user. When a permission expires users must visit the consumer application again and go through the authorization process. Users also can remove an application's permission at any time in Connections by clicking...

Settings | Application Access

For example, a social networking application can...

• Display a user's profile picture and personal information.
• Push status updates the user makes in the consumer application to the Connections activity stream

To add gadgets deployed externally, such as iGoogle gadgets, configure locked domains. Locking domains isolates semi-trusted gadgets and prevents them from accessing SSO tokens or via DOM access to the parent page of the gadget iFrame that can be used to forward sensitive data to external sites.

To connect an OAuth 2 client with Connections using IBM Connections APIs with the Open Authentication 2 protocol the supported flow is :

1. Authorization code grant flow.

2. Authorization endpoint URL:

   https://www.connections.myco.com/oauth2/endpoint/connectionsProvider/authorize

3. Token endpoint URL:

   https://www.connections.myco.com/oauth2/endpoint/connectionsProvider/token

The /oauth2 context root is configurable as is any other Connections application via the IBM console. The change should be applied to LotusConnections-config.xml in the "oauthprovider" service :

<sloc:serviceReference serviceName="oauthprovider"
                       enabled="true" 
                       ssl_enabled="true" 
                       bootstrapHost="admin_replace"
                       bootstrapPort="admin_replace"
                       clusterName="">

    <sloc:href>
        <sloc:hrefPathPrefix>/oauth2</sloc:hrefPathPrefix>
        <sloc:static href="http://www.connections.myco.com" 
                     ssl_href="https://www.connections.myco.com"/>
        <sloc:interService href="https://www.connections.myco.com"/>
    </sloc:href>

</sloc:serviceReference> 

See

• Manage the client application list
• Install and enable OAuth TAI
• Register an OAuth client with a provider
• CRE Mashups Proxy Configuration Configure OAuth for gadgets
  
• OAuth home.

Parent topic:
Security