Difference between revisions of "Device flow usecase 1"

From i2Rest
Jump to: navigation, search
(Device Flow)
(Device flow)
 
(60 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Device Flow =
+
{{DISPLAYTITLE:Google drive API}}
 +
The use case shows the process of creating "i2rest.doc" file on "i2restexample" user Google Drive using I2Rest Client request with Oauth2 Authorization code flow.
 +
Lets walk step by step through our example with creating "i2rest.doc" file on "i2restexample" user Google Drive
  
Provided by i2Rest-client OAuth 2.0 Device flow allows your IBM i application to deal with protected user data on remote resource, while end users are not forced to share their usernames, passwords, and other private information. Instead, user jast have to pass authetification on remote resource and authorizate IBM i application to make some actions on the user's behalf. As far IBM i have no ability to display a web-page, i2Rest-client only provides user with link to authorization page. After user follow the link on any orher device (or via browser) and accept request, i2rest-client will be granted for authorization token, which allows user data access. Lets walk step by step on schema throuth our example with creating "i2rest.doc" file on "i2restexample" user's Google Drive.
+
== Preparations ==
[File:Flow.png]
+
:a)At the very beginning your application should be registered as a client (obtaining Device ID and Device Password) on [https://console.developers.google.com/apis/credentials Google] (see [https://developers.google.com/identity/protocols/oauth2 details]).
=== Preparations ===
+
:b) [[Create_*SYSTEM_Certificate_Store| Create *SYSTEM Certificate Store]] and [[Add_external_CA_to_trust_list  |add Google.com SSL CA ]].<br>
At the very begining your application should be registrated as a client (obtaining Device ID and Device Password) on the resource that will be re
 
  
quested for protected data. In our case we should folow Google's [https://console.developers.google.com/apis/credentials instructions].
+
== i2Rest Client command composing == 
 +
Composing i2Rest Client we need:<br>
 +
:to set request method and API endpoint to values that are specified in the API method description; 
 +
<pre>
 +
I2REST COMMAND(*POST)                                     
 +
      URL('https://www.googleapis.com/drive/v3/files')
 +
</pre>
 +
:to specify properly configured on Preparations step (b) Certificate_Store to be able to work with SSL secured resource;
 +
<pre>
 +
      DCMCLIENT(<DCM client name>) 
 +
</pre>
 +
:to specify obtained on Preparations step (a) requisites;
 +
<pre>
 +
      AUTHID('Device ID')                 
 +
      AUTHPW('Device password)                     
 +
      AUTHURL('https://accounts.google.com/o/oauth2/v2/auth 
 +
              ')                                           
 +
      TOKENURL('https://oauth2.googleapis.com/token')       
 +
      SCOPE('https://www.googleapis.com/auth/drive.file') 
 +
</pre>
 +
All the necessary parameters are specified, it's time to execute the complete command. 
 +
<pre>
 +
I2REST COMMAND(*POST)                                     
 +
      URL('https://www.googleapis.com/drive/v3/files')   
 +
      BODY(*N '{"name":"i2rest.doc"}'
 +
            'application/json' *YES 1208)
 +
      OUTPUT(*BOTH) 
 +
      AUTHMETHOD(*OAUTH2D)                                     
 +
      DCMCLIENT(MYCLIENT)
 +
      RECVLOG('/home/USRX/recieved.log')                         
 +
      SENTLOG('/home/USRX/sent.log')                                                           
 +
      TOKENS('/tokens/tokens.usrspc')
 +
      AUTHID('<Device ID>')               
 +
      AUTHPW('<Device password>')                 
 +
      AUTHURL('https://oauth2.googleapis.com/device/code')
 +
      TOKENURL('https://oauth2.googleapis.com/token')     
 +
      SCOPE('https://www.googleapis.com/auth/drive.file') 
 +
</pre>
  
step 1
+
== Device flow ==
With Device ID and Device Password I2rest requests URI specified in «OAuth2 authorization endpoint» parameter. Authorization server responds with some requisites to be used getting user permission to protected data. As far as AS400 have no ability to display web page, it only displays link to authorization page to visit via browser according to «show authorization screen?» parameter.
+
After the command was executed, I2Rest Client starts performing Oauth2 Authorization code flow. Steps (A), (B) of the [[Device_flow_description|flow]] are taken behind the scene. Step (C) will be displayed on your green screen. Follow provided link.
       
+
<div style="padding-bottom:6px">[[File:Device-flow-usecase1.png]]</div>
If case of  *REQUESTER or *BOTH authorization srcreen will be displayed. In case of *NONE or *REMOTE no screen will be displayed, but requester or specified (Send authorization request to) User should get notification.  
+
Find yourself on device connection page. Proceed with "Next" button, and this is step (D).
+
<div style="padding-bottom:6px">[[File:Device-flow-usecase2.png]]</div>
That notification is handled by *DFT program, that gets Authorizer field with specified length as input parameter.
+
Grant access to requested scope.
       
+
<div style="padding-bottom:6px">[[File:Device-flow-usecase3.png]]</div>
Any program with custom logic (sms notification, etc) can be applied.  
+
Here we are!
During period of «Time to wait authorization» i2rest will poll «OAuth2 token endpoint» URI to get token, which should be issued after user authorizes request. Tokens obtained from the authorization sever will be saved to “Tokens storage”.
+
<div style="padding-bottom:6px">[[File:Device-flow-usecase4.png]]</div>
 +
Steps (E), (F) of the flow does not envolve end user.
 +
 
 +
== Checking the result! ==
 +
We didn't make a screenshot with i2rest.doc on our example Google Drive, but you can check your own file right now. Also take a look on the result of the authorized request to Google Drive APi in joblog.
 +
<pre>
 +
Approved scopes https://www.googleapis.com/auth/drive.file   
 +
Token type Bearer                                             
 +
Token expires in 3599                                         
 +
Server response (status 200, shown 128 bytes of 128):         
 +
{                                                             
 +
"kind": "drive#file",                                       
 +
"id": "1qH1yvlK1WF-C8oi9v3Nf8miUTuz_1Tvr",                   
 +
"name": "i2rest.doc",                                       
 +
"mimeType": "application/msword"                             
 +
}                                                             
 +
</pre>

Latest revision as of 20:38, 2 November 2021

The use case shows the process of creating "i2rest.doc" file on "i2restexample" user Google Drive using I2Rest Client request with Oauth2 Authorization code flow. Lets walk step by step through our example with creating "i2rest.doc" file on "i2restexample" user Google Drive

Preparations

a)At the very beginning your application should be registered as a client (obtaining Device ID and Device Password) on Google (see details).
b) Create *SYSTEM Certificate Store and add Google.com SSL CA .

i2Rest Client command composing

Composing i2Rest Client we need:

to set request method and API endpoint to values that are specified in the API method description;
I2REST COMMAND(*POST)                                       
       URL('https://www.googleapis.com/drive/v3/files') 
to specify properly configured on Preparations step (b) Certificate_Store to be able to work with SSL secured resource;
       DCMCLIENT(<DCM client name>)  
to specify obtained on Preparations step (a) requisites;
       AUTHID('Device ID')                   
       AUTHPW('Device password)                       
       AUTHURL('https://accounts.google.com/o/oauth2/v2/auth  
               ')                                             
       TOKENURL('https://oauth2.googleapis.com/token')        
       SCOPE('https://www.googleapis.com/auth/drive.file')  

All the necessary parameters are specified, it's time to execute the complete command.

I2REST COMMAND(*POST)                                       
       URL('https://www.googleapis.com/drive/v3/files')     
       BODY(*N '{"name":"i2rest.doc"}' 
            'application/json' *YES 1208)
       OUTPUT(*BOTH)  
       AUTHMETHOD(*OAUTH2D)                                      
       DCMCLIENT(MYCLIENT)
       RECVLOG('/home/USRX/recieved.log')                           
       SENTLOG('/home/USRX/sent.log')                                                             
       TOKENS('/tokens/tokens.usrspc')
       AUTHID('<Device ID>')                 
       AUTHPW('<Device password>')                   
       AUTHURL('https://oauth2.googleapis.com/device/code') 
       TOKENURL('https://oauth2.googleapis.com/token')      
       SCOPE('https://www.googleapis.com/auth/drive.file')  

Device flow

After the command was executed, I2Rest Client starts performing Oauth2 Authorization code flow. Steps (A), (B) of the flow are taken behind the scene. Step (C) will be displayed on your green screen. Follow provided link.

Device-flow-usecase1.png

Find yourself on device connection page. Proceed with "Next" button, and this is step (D).

Device-flow-usecase2.png

Grant access to requested scope.

Device-flow-usecase3.png

Here we are!

Device-flow-usecase4.png

Steps (E), (F) of the flow does not envolve end user.

Checking the result!

We didn't make a screenshot with i2rest.doc on our example Google Drive, but you can check your own file right now. Also take a look on the result of the authorized request to Google Drive APi in joblog.

Approved scopes https://www.googleapis.com/auth/drive.file     
Token type Bearer                                              
Token expires in 3599                                          
Server response (status 200, shown 128 bytes of 128):          
{                                                              
 "kind": "drive#file",                                         
 "id": "1qH1yvlK1WF-C8oi9v3Nf8miUTuz_1Tvr",                    
 "name": "i2rest.doc",                                         
 "mimeType": "application/msword"                              
}