Difference between revisions of "NoAuth usecase 4"

From i2Rest
Jump to: navigation, search
Line 7: Line 7:
 
[[File:Google-serv-to-serv.png]]
 
[[File:Google-serv-to-serv.png]]
  
 +
A) All the stuff  like ID's, accounts, RSA keys and others.
 +
Just use [https://jwt.io JWT online tool] to get JWT.
  
 
+
B) Now we can request access token. With JWT obtained
 
   I2REST COMMAND(*POST)                                       
 
   I2REST COMMAND(*POST)                                       
 
       URL('https://oauth2.googleapis.com/token')           
 
       URL('https://oauth2.googleapis.com/token')           
Line 31: Line 33:
 
       RECVLOG('/home/btpl/rejwt.log')
 
       RECVLOG('/home/btpl/rejwt.log')
 
       SENTLOG('/home/btpl/sejwt.log')
 
       SENTLOG('/home/btpl/sejwt.log')
       AUTHMETHOD(*NONE)            
+
       AUTHMETHOD(*NONE)  
 
+
         
 +
C) If the JWT and access token request are properly formed and the service account has permission to perform the operation, then the JSON response from the Authorization Server includes an access token. The following is an example response:
 +
Access tokens can be reused until during the duration noted in the expires_in value.
 +
   
 
     Server response (status 200, shown 261 bytes of 261):
 
     Server response (status 200, shown 261 bytes of 261):
 
     {"access_token":"ya29.c.Ko8BxwcD_TDznwIQVB7Y_vs1S8a86_DhMfVwz1rcMfLkaMkMtx
 
     {"access_token":"ya29.c.Ko8BxwcD_TDznwIQVB7Y_vs1S8a86_DhMfVwz1rcMfLkaMkMtx
Line 39: Line 44:
 
     P0G6vmwdFljOdhY","expires_in":3599,"token_type":"Bearer"}
 
     P0G6vmwdFljOdhY","expires_in":3599,"token_type":"Bearer"}
  
 
+
D) We attach access token using the access_token query string parameter.
 
   I2REST COMMAND(*POST)                                       
 
   I2REST COMMAND(*POST)                                       
 
       URL('https://iam.googleapis.com/v1/projects/client-fl
 
       URL('https://iam.googleapis.com/v1/projects/client-fl
Line 57: Line 62:
 
       SENTLOG('/home/btpl/sncreatsr1.log')
 
       SENTLOG('/home/btpl/sncreatsr1.log')
 
       AUTHMETHOD(*NONE)
 
       AUTHMETHOD(*NONE)
 
+
 
 +
 +
At that time we will attach access token as additional header. 
 
   I2REST COMMAND(*GET)                                         
 
   I2REST COMMAND(*GET)                                         
 
       URL('https://iam.googleapis.com/v1/projects/client-fl
 
       URL('https://iam.googleapis.com/v1/projects/client-fl

Revision as of 19:19, 18 April 2020

When you need your application to call Google APIs on behalf of its own (user aren't involved directly), you should refer to Google OAuth 2.0 for Server to Server Applications. It is not exactly Oauth2 Client Credential flow, so i2rest client can't deal with it for you with the only command call. But we still can reproduce this authorization scenario composing requests and handling responses manually. Lets take a look on steps we should perform.

Google-serv-to-serv.png

A) All the stuff like ID's, accounts, RSA keys and others. Just use JWT online tool to get JWT.

B) Now we can request access token. With JWT obtained 

  I2REST COMMAND(*POST)                                       
      URL('https://oauth2.googleapis.com/token')           
      BODY(*N 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agra
           nt-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1N
           iIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJpMnJlc3RzZXJ2QGNs
           aWVudC1mbG93LWV4YW1wbGUuaWFtLmdzZXJ2aWNlYWNjb3Vu
           dC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFw
           aXMuY29tL2F1dGgvY2xvdWQtcGxhdGZvcm0iLCJhdWQiOiJo
           dHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIs
           ImV4cCI6MTU4NzEzMzAwMCwiaWF0IjoxNTg3MTI5NDU3fQ.h
           _n7RXC13ACXFJQ5J2_5AlMcRxhaEK0Yi7SW6s_GRkED9qV8X
           rDFa47e-5uI3ZuMSw3aak9-RUJk7v2uw7kJUhT11At5JLPtb
           wpwJxqj0dbvaqUKuwk4OKXYBWrHsRfWq8-GZZ-GryAwXzq38
           p6j-3-jSJUm4EYKiXukzRWiGlUpP9xDZsOU_8gemJM3yR911
           95Bsc0yY-sHoG1FjaGy9EMRq4nHzD-An-8OGezYot2tWbunk
           MU8LmurcM0IEafwytB_iM7QOO8LNV2eKbjj-Ilxqm5XLbzIm
           WAvqIK9gNQ7avrmpnttJMX78VKuCFK9UB3OdcTtCs3Wb7r4P
           jQ5qg' 'application/x-www-form-urlencoded')     
      OUTPUT(*BOTH)                  
      DCMCLIENT(MYCLIENT)            
      RECVLOG('/home/btpl/rejwt.log')
      SENTLOG('/home/btpl/sejwt.log')
      AUTHMETHOD(*NONE)

C) If the JWT and access token request are properly formed and the service account has permission to perform the operation, then the JSON response from the Authorization Server includes an access token. The following is an example response: Access tokens can be reused until during the duration noted in the expires_in value. 

   Server response (status 200, shown 261 bytes of 261):
   {"access_token":"ya29.c.Ko8BxwcD_TDznwIQVB7Y_vs1S8a86_DhMfVwz1rcMfLkaMkMtx
   BBIxqoYbfJdQvp5O3EONN-lz7VviAVNWx3pQInTxPdf_2pmL9JW3l8Qt                
   DfSrfVL0CSk1j_BgEdR0jkPCCsRQPtWkSdSm-cH2vFZZiVcOOEOq4Yt8C3jzBl3kzNt2N882ic
   P0G6vmwdFljOdhY","expires_in":3599,"token_type":"Bearer"}

D) We attach access token using the access_token query string parameter. 

 I2REST COMMAND(*POST)                                       
      URL('https://iam.googleapis.com/v1/projects/client-fl
          ow-example/serviceAccounts?access_token=ya29.c.Ko
          8BxwcD_TDznwIQVB7Y_vs1S8a86_DhMfVwz1rcMfLkaMkMtxB
          BIxqoYbfJdQvp5O3EONN-lz7VviAVNWx3pQInTxPdf_2pmL9J
          W3l8QtDfSrfVL0CSk1j_BgEdR0jkPCCsRQPtWkSdSm-cH2vFZ
          ZiVcOOEOq4Yt8C3jzBl3kzNt2N882icP0G6vmwdFljOdhY') 
      BODY(*N '{  "accountId": "i2restcreated",             
                  "serviceAccount": {                               
                         "description": "created via i2rest client",                   
                         "displayName": "example one" }
               }' 'application/json' *YES 1208)                
      OUTPUT(*BOTH) 
      DCMCLIENT(MYCLIENT)                 
      RECVLOG('/home/btpl/recreatsr1.log')
      SENTLOG('/home/btpl/sncreatsr1.log')
      AUTHMETHOD(*NONE)


At that time we will attach access token as additional header. 

 I2REST COMMAND(*GET)                                        
      URL('https://iam.googleapis.com/v1/projects/client-fl
          ow-example/serviceAccounts')                     
      HEADERS((AUTHORIZATION 'Bearer ya29.c.Ko8BxwcD_TDznwI
              QVB7Y_vs1S8a86_DhMfVwz1rcMfLkaMkMtxBBIxqoYbfJ
              dQvp5O3EONN-lz7VviAVNWx3pQInTxPdf_2pmL9JW3l8Q
              tDfSrfVL0CSk1j_BgEdR0jkPCCsRQPtWkSdSm-cH2vFZZ
              iVcOOEOq4Yt8C3jzBl3kzNt2N882icP0G6vmwdFljOdhY
              '))                                          
      OUTPUT(*BOTH)                                        
      DCMCLIENT(MYCLIENT)                                  
      RECVLOG('/home/btpl/CAdriverecv.log')                
      SENTLOG('/home/btpl/CAdrivesent.log')                
      AUTHMETHOD(*NONE)   
 
   {
 "accounts": [
   {
     "name": "projects/client-flow-example/serviceAccounts/i2restserv@client-flow-example.iam.gserviceaccount.com",
     "projectId": "client-flow-example",
     "uniqueId": "117967955212758073044",
     "email": "i2restserv@client-flow-example.iam.gserviceaccount.com",
     "displayName": "i2restserv",
     "etag": "MDEwMjE5MjA=",
     "description": "Example to i2rest client flow",
     "oauth2ClientId": "117967955212758073044"
   },
   {
     "name": "projects/client-flow-example/serviceAccounts/i2restcreated@client-flow-example.iam.gserviceaccount.com",
     "projectId": "client-flow-example",
     "uniqueId": "104934312932229503067",
     "email": "i2restcreated@client-flow-example.iam.gserviceaccount.com",
     "displayName": "example one",
     "etag": "MDEwMjE5MjA=",
     "description": "created via i2rest client",
     "oauth2ClientId": "104934312932229503067"
   }
   ]
 }
Retrieved from "https://www.i2rest.com/index.php?title=NoAuth_usecase_4&oldid=487"