OAuth2 object

Built-in and external implementation

Some OAuth2 parameters allow the use of a built-in (embedded) or external implementation.

• i2Rest Server Free edition allows to use only built-in implementation of OAuth2 parameters. This implementation uses a specific parameter structure and configuration principles. You can define the list of scopes, users or clients, set some parameters for code generation rules etc. All these parameters must be configured in the configuration file, and they will be unchanged from the moment the server starts. To change the settings, you must change the configuration file and restart the server. A detailed description of all parameters in embedded implementation is given below.
• With i2Rest Server Premium edition, you can develop your own custom implementation of functions for working with tokens, codes, scopes, users and clients. You can use any storage for this data, any algorithms and procedures, for example, to checking passwords, to setting and validation of permissions, to define valid scopes etc.

Settings for built-in implementation

Scopes

Use this parameter to define the list of scopes within this i2Rest Server instance. To define the scope, add following object to "scopes" object:

"<name of the scope>":{<scope definition object>}

For example:

"scopes": {"run_program"          : {"description":"Run *PGM and *SRVPGM"}, 
           "run_command"          : {"description":"Run CL command"},
           "management_functions" : {"description":"Invoke i2Rest manager APIs"}
}

Minimal scope list has to include "run_command", "run_program", "management_functions" scopes. If some of these scopes is absent, you will not able to use appropriate API. The structure of the definition object:

Users

This parameter allows to define the list of users for this i2Rest Server instance. In built-in implementation, all i2Rest Server users has to be registered as an IBM i users. i2Rest Server checks IBM i user passwords for authentication. When calling APIs, authorization settings configured on the IBM i server are used.
To set up a user, you must define it in the OAuth2 object:

"<user_name>":{<definition object>}

The structure of the user definition object:

Elements of valid_users are defined as follows:

"<client_name>":{<valid_client_definition>}

The structure of the valid client definition object:

Example:

"OAuth2": {
  ...
  "users":
  {
     ...
     "UDEMO":{"description":"Demo user", "valid_clients":{"CDEMO":{"scopes":["run_program", "run_command", "management_functions"]}}},
     "UTEST":{"description":"Test user", "valid_clients":{"CTEST":{"scopes":["run_program", "run_command", "management_functions"]}}}
     ...
  },
  ...
}

Clients

All OAuth2 clients that will interact with this server must be registered in the list. In built-in implementation, all i2Rest Server clients has to be registered as an IBM i user profiles. i2Rest Server checks IBM i user passwords for authentication of OAuth2 clients. When calling APIs, i2Rest Server uses authorization settings configured for user profiles related with OAuth2 user, authorization of user profiles related with OAuth2 clients does not matter. However, for the client to work, his user profile must be *ENABLED.
To set up a client, you must define it in the OAuth2 object:

"<client_name>":{<definition object>}

The structure of the client definition object:

Example:

"OAuth2":{
   ...
   "clients": {
      ...
      "CDEMO": {
         "redirect_uri" : "https://api.i2rest.com/oauth2/redirect", 
         "description"  : "Demo client", 
         "valid_scopes" : ["run_program", "run_command", "management_functions"],
         "valid_grant_types" : [
            "authorization_code", 
            "urn:ietf:params:oauth:grant-type:device_code", 
            "refresh_token", 
            "client_credentials", 
            "urn:i2rest:bridge:access_code"
         ]
      },
      ...
   },
   ...
}

Token/Code generation rules

The following parameters control the rules for generating various kinds of codes. i2Rest Server generates the following codes:

• tokens
• refresh_tokens
• codes
• device_codes

To set the generation rule for some code, you must define it in the OAuth2 object:

"<code_name>":{<definition object>}

The structure of the definition object:

"token":{"type":"token"}

Example:

"OAuth2": {
   ...
   "tokens"         : {"type":"token", "capacity":500},
   "refresh_tokens" : {"type":"refresh_token", "capacity":1000},
   "codes"          : {"type":"code", "capacity":100},
   "device_codes"   : {"type":"user_code", "capacity":200},
   ...
}

External implementation

In the case of using an external implementation, parameter setting is performed using an object of the following form:

"<parameter>" : {
   "implementation"  : "<service_program>",
   "init_entrypoint" : "<exported_function_name_used_for_initialize_object>",
   "config"          : <object_configuration_options>
}

Example:

"clients" : {
   "implementation"  : "I2REST/OAUTH2_CLI", 
   "init_entrypoint" : "OAuth2_client_init_internal", 
   "config"          : {
      "table" : "I2REST/CLIENTS"
   }
}

Mandatory property here is "implementation" - it should point to existing *SRVPGM object with code that implements functions specific for this parameter. As an example, for OAuth2 clients, it is required to provide *SRVPGM with following functions:

• init - initialize clients object
• destroy - destroys clients object
• get_client_copy - search client according implemented algorithm and return allocated copy of client data
• destroy_client_copy - deallocate copy of client data
• lock_client - search client and lock it for update. Returns pointer to client data
• update_client - update some details of client previously locked by lock_client function
• retrieve_client_credentials - retrieves encrypted version of client credentials
• validate_client_credentials - validates client credentials
• scopes_are_valid_for_client - validates that scopes are valid for the client
• grant_type_is_valid_for_client - validates that grant type is valid for the client

External implementation is available with i2Rest Server Premium edition. Objects that can be implemented externally are:

• tokens
• refresh tokens
• device codes
• user codes
• scopes
• clients, including client<>scope and client<>grant types relations
• users, including user<>clients relations

For detailed information about external implementation, please ask us

Other settings

Endpoints

i2Rest Server listens for incoming connections at several endpoints related to main or management gates. All these endpoints has default values that can be overridden in configuration file
Endpoints must vary. Endpoint cannot be the beginning of another endpoint. Endpoints must be valid URL path component

Web pages

i2Rest Server at some points in the flows interacts with the user. Server installation includes the simplest versions of pages with a user interface. During the implementation process, you can change or create your own versions of pages, and specify their addresses in the configuration file.
Pages and static content can be placed and served by i2Rest Server, or you can use an external web server or web application.
To place static content on the i2Rest Server, it must be placed in the Static/ folder in the current server directory (see configuration parameter curdir). In this case, static content will be available as a resource at http(s)://<i2Rest_server_name:port>/pages/<resource_path_at_Static>, for example:

Static/device_connected.html => http://myserver.com/pages/device_connected.html
Static/Login/index.html => http://myserver.com/pages/Login/index.html

Pages representing external links must be specified as a complete URL path in configuration file.
User interaction pages that can be specified in configuration file:

Miscellaneous parameters