Difference between revisions of "Configuring OAuth2 authorization"
Pavel.lobko (talk | contribs) |
|||
| (15 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | Unlike | + | Unlike anonymous API call we performed in our [[I2Rest_Server#basic_guide|quick start guide]], authorized API call requires OAuth2 token with "run_program" [[I2Rest_scopes#|scope]] and <code>*local</code> [[I2Rest_Gates#Session_System|Session System]] defined. |
;Step 1 | ;Step 1 | ||
| − | :Register two users on IBM i. | + | :Register two users on IBM i. The first will be used as a demonstrative OAuth2 resource owner, and the second one as an OAuth2 client. |
;Step 2 | ;Step 2 | ||
| − | :Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes: | + | :''This step is the same as in the basic example. You can skip this step if you've done the basic scenario.''<br/>Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes: |
<pre> | <pre> | ||
<pcml version="1.0"> | <pcml version="1.0"> | ||
| Line 16: | Line 16: | ||
;Step 3 | ;Step 3 | ||
| − | :Contact your system administrator for your IBM i server host name (or IP) and ''two'' available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). | + | :Contact your system administrator for your IBM i server host name (or IP) and ''two'' available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Сopy and paste the snippet bellow. Replace with appropriate values highlighted with <b>bold</b> parts: host_name, ports, pcml_file, user (resource owner) and client. We will start with simplest non-encrypted connections, so please leave http as a protocol.<br/>For clarity, differences with [[I2Rest_quick_config|Basic configuration]] are highlighted in <span style="background:#D3D3D3;">gray</span>: |
| − | [[I2Rest_quick_config|Basic configuration]] | ||
{ | { | ||
| + | <span style="background:#D3D3D3;">"curdir": "/i2rest/1.0.0",</span> | ||
"gates": | "gates": | ||
{ | { | ||
| − | "main" : {"url":"http:// | + | "main" : {"url":"http://'''<host_name>[:port] (for example api.i2rest.com:1234)'''"}, |
| − | "management" : {"url":"http:// | + | "management" : {"url":"http://'''<host_name>[:port] (for example api.i2rest.com:4321)'''"} |
}, | }, | ||
"session_systems": | "session_systems": | ||
| Line 37: | Line 37: | ||
'-user' '${user}')) \ | '-user' '${user}')) \ | ||
INLLIBL(I2REST)" | INLLIBL(I2REST)" | ||
| − | } | + | }<span style="background:#D3D3D3;">, |
| − | + | { "name" : "*LOCAL", | |
"submit" : SBMJOB JOB(I2RESTS) \ | "submit" : SBMJOB JOB(I2RESTS) \ | ||
USER(${user}) \ | USER(${user}) \ | ||
| Line 53: | Line 53: | ||
{ | { | ||
"pcml_mount" : "echo", | "pcml_mount" : "echo", | ||
| − | "pcml_file" : "< | + | "pcml_file" : "<b><complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)></b>", |
"valid_in_anonymous" : true | "valid_in_anonymous" : true | ||
} | } | ||
| − | ] | + | ]<span style="background:#D3D3D3;">, |
| − | + | "OAuth2": | |
{ | { | ||
"scopes": | "scopes": | ||
| Line 65: | Line 65: | ||
"users": | "users": | ||
{ | { | ||
| − | "< | + | "<b>USRX</b>":{"description":"<b>John Johnes</b>","valid_clients":{"<b>TSTCLNT</b>":{"scopes":["run_program"]}}} |
}, | }, | ||
"clients": | "clients": | ||
{ | { | ||
| − | "< | + | "<b>TSTCLNT</b>":{"redirect_uri":"<b><main gate URL></b>/oauth2/redirect", |
"description":"Test client", | "description":"Test client", | ||
"valid_scopes":["run_program"], | "valid_scopes":["run_program"], | ||
| Line 77: | Line 77: | ||
}</span> | }</span> | ||
} | } | ||
| + | With "pcmls" object's <code> "valid_in_anonymous" : true</code> parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized requests. To allow only authorized requests, set <code>"valid_in_anonymous" : false</code> and remove definition of <code>"*ANONYMOUS"</code> session system.<br/> | ||
| + | Now you can update your [[I2Rest_Basic_Test#SOAP_UI|SoapUI I2RESTECHO test project]] with [[Auth_profile_SoapUI|Authorization profile]] and perform your authorized API call. | ||
Latest revision as of 17:54, 14 June 2021
Unlike anonymous API call we performed in our quick start guide, authorized API call requires OAuth2 token with "run_program" scope and *local Session System defined.
- Step 1
- Register two users on IBM i. The first will be used as a demonstrative OAuth2 resource owner, and the second one as an OAuth2 client.
- Step 2
- This step is the same as in the basic example. You can skip this step if you've done the basic scenario.
Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes:
<pcml version="1.0">
<program name="echo" path="/QSYS.LIB/%LIBL%.LIB/I2RESTECHO.PGM">
<data name="echo" usage="inputoutput" type="char" length="10" trim="both"/>
</program>
</pcml>
- Step 3
- Contact your system administrator for your IBM i server host name (or IP) and two available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Сopy and paste the snippet bellow. Replace with appropriate values highlighted with bold parts: host_name, ports, pcml_file, user (resource owner) and client. We will start with simplest non-encrypted connections, so please leave http as a protocol.
For clarity, differences with Basic configuration are highlighted in gray:
{
"curdir": "/i2rest/1.0.0",
"gates":
{
"main" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:1234)"},
"management" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:4321)"}
},
"session_systems":
[
{ "name" : "*ANONYMOUS",
"submit" : "SBMJOB JOB(I2RESTA) \
USER(${user}) \
CMD(CALL I2REST \
PARM('-session' \
'-url' '${surl}' \
'-uid' '${uid}' \
'-user' '${user}')) \
INLLIBL(I2REST)"
},
{ "name" : "*LOCAL",
"submit" : SBMJOB JOB(I2RESTS) \
USER(${user}) \
CMD(CALL I2REST \
PARM('-session' \
'-url' '${surl}' \
'-uid' '${uid}' \
'-user' '${user}')) \
'-init' 'ADDLIBLE I2REST'))" \
}
],
"pcmls":
[
{
"pcml_mount" : "echo",
"pcml_file" : "<complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)>",
"valid_in_anonymous" : true
}
],
"OAuth2":
{
"scopes":
{
"run_program" : {"description":"Authorized API call"}
},
"users":
{
"USRX":{"description":"John Johnes","valid_clients":{"TSTCLNT":{"scopes":["run_program"]}}}
},
"clients":
{
"TSTCLNT":{"redirect_uri":"<main gate URL>/oauth2/redirect",
"description":"Test client",
"valid_scopes":["run_program"],
"valid_grant_types":["authorization_code"]}
},
"tokens": {"type":"token"},"codes":{"type":"code"}
}
}
With "pcmls" object's "valid_in_anonymous" : true parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized requests. To allow only authorized requests, set "valid_in_anonymous" : false and remove definition of "*ANONYMOUS" session system.
Now you can update your SoapUI I2RESTECHO test project with Authorization profile and perform your authorized API call.
