Registering an OAuth client with a provider
We need to register any OAuth clients with an OAuth provider.
To allow a seamless user experience while using the Activity Streams, IBM Connections 4 supports automatic authorization of trusted gadget clients. Users will not be prompted to authorize a trusted gadget the first time that it tries to access their Connections data. The only trusted gadget client out of the box in IC4 is the Connections Embedded Experience gadget.
- To register an arbitrary client:
- Start wsadmin.
./wsadmin.sh -lang jython -user wasadmin -password passw0rd
- Load oauth admin commands
execfile('oauthAdmin.py')
- Register the client :
OAuthApplicationRegistrationService.addApplication(String appId, String appName, String redirectURI)
Where:
- appId is an identifier for the application we are registering. It can be anything you like such as my-test-client.
- appName is is a descriptive name for the client such as My Test Client.
- redirectURI is where to redirect to when the gadget has been granted authorization. When Connections is the client, the URL must be set to this templated value. The placeholder opensocialSvcUrl in the following URL will be replaced at runtime with the value of the URL of the opensocial service defined in LotusConnections-config.xml.
wsadmin>OAuthApplicationRegistrationService.addApplication("my-test-client", "My Test Client", "{opensocialSvcUrl}/gadgets/oauth2callback") An application was added with the new id my-test-client.
- Obtain the client secret from the recently registered application (copy it and save it in a text file). This will be used to register the gadget on the consumer proxy.
clientSecret = OAuthApplicationRegistrationService.getApplicationById(appId).get('client_secret')
To see the secret, run the following command:
wsadmin>clientSecret = OAuthApplicationRegistrationService.getApplicationById('conn-ee').get('client_secret') wsadmin>print clientSecretFor example:CdVFsLUyTGa9p8BaHZcNSir4i7sLcuk31XZMkhtXSHUcXGKI7HDeCONm89lf
- To enable auto-authorization for this gadget, the provider has to be configured to make it a privileged client. Modify the connectionsProvider.xml (for example, located in \IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\nameCell01\oauth20\) used to configure the provider to add the appId previously used to the trusted auto-auth client list, for example:
<parameter name="oauth20.autoauthorize.clients" type="ws" customizable="true"> <value>my-test-client</value> </parameter>
- Recreate the provider using this wsadmin command, substituting the appropriate path for connectionsProvider.xml, and wasadmin credentials:
./wsadmin.sh -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName /opt/IBM/WebSphere/AppServer1/profiles/AppSrv01/bin/connectionsProvider.xml]')" -user wasadmin -password PASS
- Consider whether the default configuration settings for OAuth provider token lifetime are appropriate for the implementation. The defaults are :
- access token=12 hours
- refresh token=6 months
- cleanup interval=1 hour
- Authorization Management Commands
Once client applications are registered with the OAuth provider in Connections, they are allowed to request authorization from Connections users to access and interact with their data. Connections administrators can run wsadmin commands to manage authorizations issued to registered client applications, in order to revoke authorizations granted to malicious applications, or to remove a compromised access token.
Parent topic:
Allow third-party applications access to data via the OAuth2 protocol