Difference between revisions of "Device flow description"

Latest revision as of 13:04, 9 September 2020

Overview

Oauth 2.0 Device flow is the authorization scenario for those devices (like IBM i), that has no ability to display an authorization web page when making request to private data on resources with limited access.

Device flow scheme.

(A) i2Rest Client initiates the flow with a request to the authorization server. The request incudes client identifier and requested scope.
(B) The authorization server responds with a device code, an end-user code and the verification URL.
(C) i2Rest Client displays an end-user code and the verification URL and thus instructs the end user to visit authorization page using a user agent on another device.
(D) The end-user follows provided verification URL on any browser capable device. The authorization server authenticates the resource owner and performs authorization dialog to determin either access will be granted or denied.
(E) i2Rest Client starts polling authorization server with device code to determine whether the user has authorized the request.
(F) The authorization server authenticates the client, performs validation of the device code, and, if access was granted by end user, responds with an access token.

Device flow by i2Rest command

The next parameters are mandatory to perform request with Device flow by I2Rest command.

Keyword	Parameter	Description
AUTHMETHOD	Authentication method	*OAUTH2D must be specified
COMAND	Request type	Any of available request type can be choosen
URL	API endpoint	HTTP resource to serve the request
AUTHID	User/OAuth2 client/device ID	Credentials to authenticate I2Rest Client with authorization server
AUTHPW	User/OAuth2 client/dev passwd
AUTHURL	OAuth2 authorization endpoint	HTTP resource to be requested for an authorization URL and device code
TOKENURL	Token endpoint	HTTP resource to be requested for an access token
SCOPE	Scope	The set of resources and operations that are allowed to application with access token

i2Rest command example bellow represents request for creating i2rest.doc file on Google Drive, please explore the appropriate use case.

I2REST COMMAND(*POST)                                       
       URL('https://www.googleapis.com/drive/v3/files')     
       BODY(*N '{"name":"i2rest.doc"}' 
            'application/json' *YES 1208)
       OUTPUT(*BOTH)  
       AUTHMETHOD(*OAUTH2D)                                      
       DCMCLIENT(MYCLIENT)                                  
       TOKENS('/tokens/tokens.usrspc')
       AUTHID('<client ID>')                 
       AUTHPW('<client secret>')                   
       AUTHURL('https://oauth2.googleapis.com/device/code') 
       TOKENURL('https://oauth2.googleapis.com/token')      
       SCOPE('https://www.googleapis.com/auth/drive.file')

@@ Line 1: / Line 1: @@
-{{DISPLAYTITLE:Device Flow Description}}
+{{DISPLAYTITLE:Device flow description}}
+==Overview==
-[[File:Device-flow-scheme1.png|width = 400px]]
+[https://tools.ietf.org/html/rfc8628 Oauth 2.0 Device flow] is the authorization scenario for those devices (like IBM i), that has no ability to display an authorization web page when making request to private data on resources with limited access. <br>
+[[File:Device-flow-scheme1.png|400px]]
 <br>
+Device flow scheme.
-The flow consists of the following steps:
+(A) i2Rest Client initiates the flow with a request to the authorization server. The request incudes client identifier and requested scope.<br>
+(B) The authorization server responds with a device code, an end-user code and the verification URL.<br>
+(C) i2Rest Client displays an end-user code and the verification URL and thus instructs the end user to visit authorization page using a user agent on another device.<br>
+(D) The end-user follows provided verification URL on any browser capable device. The authorization server authenticates the resource owner and performs authorization dialog to determin either access will be granted or denied.<br>
+(E) i2Rest Client starts polling authorization server with device code to determine whether the user has authorized the request.<br>
+(F) The authorization server authenticates the client, performs validation of the device code, and, if access was granted by end user, responds with an access token.<br>
+==Device flow by i2Rest command==
-#i2Rest client sends a request to the authorization server and includes its client identifier in the request.
+The next parameters are mandatory to perform request with Device flow by I2Rest command.<br>
-#The authorization server responds with a device code, an end-user code and the verification URL.
-#i2rest client provides end-user with a device code and the verification URL.
-#Now it's time end-user to follow provided verification URL on any capable device. After authentification on authorization server end-user will be prompted to grant (or deny) access to the application.
-#At the time end-user  i2 rest starts polling authorization server.
-#The authorization server validates the device code provided by the client and responds with the access token if the client is granted access, an error if they are denied access, or an indication that the client should continue to poll.
-== Required parameters ==
 {| class="wikitable"
-! Parameter!! Description
+! Keyword !! Parameter!! Description
 |-
-|[[i2Rest-client command#AUTHMETHOD | Authentication method]] || <code>*OAUTH2C</code> must be specified
+|[[I2Rest_Client_command#AUTHMETHOD | AUTHMETHOD]] || Authentication method ||*OAUTH2D must be specified
 |-
-|[[i2Rest-client command#COMAND| Command]] || Any of available request type can be choosen
+|[[I2Rest_Client_command#COMAND| COMAND ]] || Request type || Any of available request type can be choosen
 |-
-|[[i2Rest-client command#URL| API endpoint]] || HTTP resource to serve the request
+|[[I2Rest_Client_command#URL| URL ]] || API endpoint || HTTP resource to serve the request
 |-
-|[[i2Rest-client command#TOKENS| Tokens storage]] || ???????
+|[[I2Rest_Client_command#AUTHID| AUTHID]] || User/OAuth2 client/device ID ||rowspan="2"|  Credentials to authenticate I2Rest Client with authorization server
 |-
-|[[i2Rest-client command#AUTHID| User/OAuth2 client/device ID]] ||rowspan="2"|  Client Credentials to authenticate with authorization server
+|[[I2Rest_Client_command#AUTHPW| AUTHPW]] || User/OAuth2 client/dev passwd
 |-
-|[[i2Rest-client command#AUTHPW| User/OAuth2 client/dev passwd]]
+|[[I2Rest_Client_command#AUTHURL| AUTHURL ]] ||OAuth2 authorization endpoint ||  HTTP resource to be requested for an authorization URL and device code
 |-
-|[[i2Rest-client command#TOKENURL| OAuth2 token endpoint]] || HTTP resource used by the client to abtain an access token
+|[[I2Rest_Client_command#TOKENURL| TOKENURL]] ||Token endpoint ||HTTP resource to be requested for an access token
+|-
+|[[I2Rest_Client_command#SCOPE| SCOPE]] || Scope || The set of resources and operations that are allowed to application with access token
 |-
 |}
+i2Rest command example bellow represents request for creating i2rest.doc file on Google Drive, please explore [[Device_flow_usecase_1|the appropriate use case]].
-----
+<pre>
-[[I2Rest_Client|Back to i2Rest Client]]
+I2REST COMMAND(*POST)
+       URL('https://www.googleapis.com/drive/v3/files')
+       BODY(*N '{"name":"i2rest.doc"}'
+            'application/json' *YES 1208)
+       OUTPUT(*BOTH)
+       AUTHMETHOD(*OAUTH2D)
+       DCMCLIENT(MYCLIENT)
+       TOKENS('/tokens/tokens.usrspc')
+       AUTHID('<client ID>')
+       AUTHPW('<client secret>')
+       AUTHURL('https://oauth2.googleapis.com/device/code')
+       TOKENURL('https://oauth2.googleapis.com/token')
+       SCOPE('https://www.googleapis.com/auth/drive.file')
+</pre>

Difference between revisions of "Device flow description"

Latest revision as of 13:04, 9 September 2020

Overview

Device flow by i2Rest command

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools