Working with OAuth Type Authorization Code Grant and Implicit Grant

Community-admin · June 19, 2019, 1:45pm

This tutorial consists of detailed steps of generating OAuth Tokens for Grant type Authorization code and Implicit Grant.

By Sabreen Irfana

1 Introduction

Integration Server supports the following Grant types:

Authorization Code Grant
Implicit Grant
Client Credentials Grant
Resource Owner Password Credentials Grant

This tutorial is intended to provide Information on how to generate OAuth tokens for given grant type Implicit and Authorization code grant.

2. Setup

Following are the required Software AG components in any given environment:

Components

Integration Server(v10.3)
Designer (v10.3)
Any Client to invoke REST Service call (I have used Postman)

3. Generate OAuth Token for Grant Type: Authorization Code/Implicit Grant

Step 1: Login to v10.3 Integration Server and Install Following Packages

Step 2: Change the Authorization Server Settings to Require HTTPS as No, As the Authorization Server used is not configured to HTTPS

Note: Same Integration server can act as Authorization Server and also as a Client. In our scenario only one Integration Server act as both.

Authorization Server Settings to Require HTTPS as No:

Login to Integration Server and Navigate to Security->OAuth->Edit OAuth Global Settings
Uncheck Require HTTPS

Step3: Register same Integration Server as a Client

Navigate to Security->OAuth
Click Client Registration
Click Register Client and Provide the following details:

Client Configuration

Client Name: ISClient1
Version: 1.0
Type: Confidential
Description: IS_Authorization Code Grant
Redirect URIs: http://<ISHostname:port>:7777/invoke/oauth/tokenForAuthCode
Allowed Grant: Check Authorization Code Grant

Token

Expiration Interval: Check Never Expires
Refresh Count: Limit:0

Note: The above provided Token values can be changed accordingly and Provided Redirect URI is the custom service which is used to fetch the token when generated.

Click Save and On Click Save

Successfully registered client ISClient1, version 1.0 message should be displayed.
Client ID Should be generated as shown below

Step4: Create Scope and associate scope with the client.

Create Scope

Navigate to IS webUI->Security->OAuth
Click Scope Management
- Click Add Scope and then provide the following Scope details

Scope Configuration Name: Scope1
Description: IS_Scope1
Folders and services: InvokeOauth:AddInts

Click Save Changes
Saved scope Scope1 successfully message should be displayed.

Associate scope with the client

Click Associate Scopes to Clients

Scopes:
Select ISClient(1.0) from Remaining Clients and Move to Clients associate with Scope
Clients:
Select Scope1 from Remaining Scopes and Move to Scope in the Client

Click Save Changes
The scope and client associations were updated successfully message should be displayed.

Click Return to Scope Management
Click Return to OAuth
Click Client Registration

Step5: Create Scope and associate scope with the client.

Get ClientID and Client Secret from Client which is already created.

Navigate to Registered Clients and click on ISClient(1.0) and copy the ID and Secret which get generated on the creation of client

- ID: 1e1cf7507e73473ca879e1307496b55e
- Secret: ed12a6e1de5a49719f02b3cc57d198a4

Step 6: Run saveClientInfo from Designer

Invoke Designer and connect to Integration Server and Set Service Deployment prospective

Select Default;OAuthRedirectionEndpoint;oauth;client;saveClientInfo in Tree
RightClick and Run saveClientInfo service and provide the values for following parameters

Click Ok

Step7: Authorize Client

Invoke Following URL

http://<IShost>:<ISport>/invoke/pub.oauth/authorize?client_id=<Client_id_value>&scope=<Scop e_name> &response_type=code

example:

http://banrndsrv04:9403/invoke/pub.oauth/authorize?client_id=1e1cf7507e73473ca879e1307 496b55e&scope=Scope1&response_type=code

If Invocation requires credentials provide the following details:
Username: Administrator
Password: manage

On Invocation a Resource access approval loads up, check the required Scope and click on Approve

Note: If only one scope is available in Integration Server then by default ALL and Scope will be selected.

And On Click Approve tokenData:- access_data,token_type,expires_in will get generated for specific scope type, basically, an OAuth_token will be generated for specified Grant Type and can be used on Invocation of service specified under the scope.

Note: One Scope can have n number of services and the generated token can be used for n number of services specified under that one scope.

expires_in is -1 and we specified never expire while creating client

Step8: Scope Service Invocation with generated token as access credential

Launch Postman or any other client
Select Post method and provide following details

URL: http://banrndsrv04:9403/invoke/InvokeOauth:AddInts?num1=1&num2=2

Provided URL invocation of Service defined under Scope

Header:
Key: Authorization
Value: Bearer 84e0324f70de4a5ab695eb87e27b0406

Click Send
and then check status: OK

Execute Step 1-8 for implicit grant type, it just that while creating client select Implicit grant instead of Authorized code grant.

The above-specified scenario is a way which depicts how we can use the OAuth types in Integration server and how we can use the generated tokens to invoke or services

InvokeOauth.zip (4.4 KB)

OAuthRedirectionEndpoint.zip (21.9 KB)