The authorization server uses this page to determine and store user consent information
about which OAuth clients are authorized to access the protected resource. This page also indicates
scopes the OAuth client requests.
The Security Verify Access for Mobile
provides an HTML page template called user_consent.html. The macros in the template
are specifically for an OAuth 2.0 flow.
We can use a separate template for each API definition. To add a template for a specific
definition, create a directory with the same name as the definition under
oauth20 and add the user_consent.html template
there.
Security Verify Access for Mobile stores
the decisions made by the resource owner about which OAuth clients to trust. The resource owner is not prompted every time the same OAuth client requests authorization to access the protected resource.
The authorization request from the OAuth client shows a list of approved scopes, and a list of
scopes to be approved. These lists are shown in the consent page and can be of indeterminate length.
The template supports multiple copies of stanzas that are repeated once for each scope in either
list.
This template file provides several replacement macros:
@OAUTH_AUTHORIZE_URI@
This macro is replaced with the URI for the authorization endpoint.
@OAUTH_CLIENT_COMPANY_NAME@
This macro is replaced with the display name of the client that is requesting access the protected resource.
@CLIENT_ID@
This macro is replaced with the client_id parameter specified in the authorization request.
@REDIRECT_URI@
This macro is replaced with the redirect URI the authorization server uses to send the authorization code to. The value depends on the following items:
Redirect URI that is entered during partner registration
oauth_redirect parameter specified in the authorization request
@STATE@
This macro is replaced with the state parameter specified in the authorization
request.
@RESPONSE_TYPE@
This macro is replaced with the response_type parameter specified in the authorization request.
@OAUTH_CLIENT_DATA_MACRO@
This macro is replaced with the client data in JSON format, which contains values that are
entered at configuration time such as:
Company name
Company URL
Contact name
Email address
Telephone number
Contact type
Other information
This macro is also the dynamic data of the client. This includes any statistically
configured client values such as Company name, and any dynamic values,
regardless of Whether they are from a dynamically registered client or from an extended client
portion. For example, tos_uri
The fields are sanitized
through a filter list. To populate or filter a specific value, change the advanced configuration
oauth20.clientDataToInclude.
@USERNAME@
This macro is replaced with the ISAM for Mobile user name.
@OAUTH_OTHER_PARAM_REPEAT@
A multi-valued macro that belongs inside a [RPT oauthOtherParamsRepeatable]
repeatable replacement list. The values show the list of extra parameter names.
@OAUTH_OTHER_PARAM_VALUE_REPEAT@
A multi-valued macro that belongs inside a [RPT oauthOtherParamsRepeatable]
repeatable replacement list. The values show the list of extra parameter values.
@OAUTH_TOKEN_SCOPE_REPEAT@
A multi-valued macro that belongs either inside [RPT
oauthTokenScopePreapprovedRepeatable] or [RPT
oauthTokenScopeNewApprovalRepeatable] repeatable replacement lists. The values inside the [RPT oauthTokenScopePreapprovedRepeatable] show the list of token scopes that have
been previously approved by the resource owner. Alternatively, the values inside the [RPT
oauthTokenScopeNewApprovalRepeatable] show the list of token scopes that have not
yet been approved by the resource owner.
@CONSENT_FORM_VERIFIER@
This macro is replaced with a unique identifier for the consent_form_verifier
parameter value. The consent_form_verifier parameter value is automatically
generated by the authorization server. The parameter name and value must not be modified.
Figure 1. Template for user_consent.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>OAuth 2.0 - Consent to Authorize</title>
<link rel="stylesheet" type="text/css" href="/sps/static/styles.css" />
</head>
<body>
<div class="header">
<div class="brandingLogo"><img src="/sps/static/ibm-logo.png" /></div>
</div>
<div class="content">
<div class="contentHeader">
<h1 class="pageTitle">OAuth 2.0 - Consent to Authorize</h1>
<div class="instructions"></div>
</div>
<div class="pageContent">
<form action="@OAUTH_AUTHORIZE_URI@" method="post">
<p>The following site is requesting access to an OAuth 2.0 protected resource:</p>
<div class="sectionTitle">
<p><b>@OAUTH_CLIENT_COMPANY_NAME@</b></p>
</div>
<p>The client type is: @CLIENT_TYPE@</p>
<br/>
<p>The client provided the following OAuth 2.0 request parameters:</p>
<br/>
<ul style="margin-left: 20px">
<li>Client Id: @CLIENT_ID@</li>
<li>Redirect URI: @REDIRECT_URI@</li>
<li>State: @STATE@</li>
<li>Response Type: @RESPONSE_TYPE@</li>
</ul>
<br/>
<p>By approving this request you will be providing delegated authorization
on behalf of:</p>
<p><b>@USERNAME@</b></p>
<br/>
<p>The client provided the following extra request parameters:</p>
<!-- START NON-TRANSLATABLE -->
<ul style="margin-left: 20px">
[RPT oauthOtherParamsRepeatable]
<li>@OAUTH_OTHER_PARAM_REPEAT@=@OAUTH_OTHER_PARAM_VALUE_REPEAT@</li>
<input type="hidden" name="@OAUTH_OTHER_PARAM_REPEAT@"
value="@OAUTH_OTHER_PARAM_VALUE_REPEAT@" />
[ERPT oauthOtherParamsRepeatable]
</ul>
<!-- END NON-TRANSLATABLE -->
<br/>
<p>The client requested the following token scopes that have been previously approved:</p>
<!-- START NON-TRANSLATABLE -->
<ul style="margin-left: 20px">
[RPT oauthTokenScopePreapprovedRepeatable]
<li>@OAUTH_TOKEN_SCOPE_REPEAT@</li>
<input type="hidden" name="scope" value="@OAUTH_TOKEN_SCOPE_REPEAT@" />
[ERPT oauthTokenScopePreapprovedRepeatable]
</ul>
<!-- END NON-TRANSLATABLE -->
<br/>
<p>The client requested the following token scopes that have not yet been approved:</p>
<!-- START NON-TRANSLATABLE -->
[RPT oauthTokenScopeNewApprovalRepeatable]
<input type="checkbox" name="scope" value="@OAUTH_TOKEN_SCOPE_REPEAT@" checked="checked"/>
<label>@OAUTH_TOKEN_SCOPE_REPEAT@</label><br />
[ERPT oauthTokenScopeNewApprovalRepeatable]
<!-- END NON-TRANSLATABLE -->
<p/>
<br />
<p>Would you like to approve access to this scope?</p>
<br/>
<input type="hidden" name="consent_form_verifier" value="@CONSENT_FORM_VERIFIER@" />
<!--
The scope parameters can be:
1. Requested as part of the redirect for authorization by the client
by appending them to the authorize URL as query string parameters, and/or
2. If not requested by the client, and you know what authorization options
are valid for the protected resources being requested, you may
also manually prompt for them in this page template as demonstrated
by the following example scope's
-->
<!--
<table>
<tr>
<td>Scopes to be authorized: </td>
<td>Scope 1</td><td><input type="checkbox" name="scope" value="token_scope_1" /></td>
<td>:: Scope 2</td><td><input type="checkbox" name="scope" value="token_scope_2" /></td>
<td>:: Scope 3</td><td><input type="checkbox" name="scope" value="token_scope_3" /></td>
</tr>
</table>
-->
<table>
<tr>
<td>Permit </td>
<td><input type="radio" name="trust_level" value="permit" checked /></td>
</tr>
<tr>
<td>Deny </td>
<td><input type="radio" name="trust_level" value="deny" /></td>
</tr>
</table>
<br />
<div class="controls">
<input class="submitButton" type="submit" name="submit" value="Submit" style="width: 80px" />
</div>
</form>
</div>
</div>
</body>
</html>