Difference between revisions of "Device flow description"

From i2Rest
Jump to: navigation, search
 
(48 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Device Flow Description}}
+
{{DISPLAYTITLE:Device flow description}}
 +
==Overview==
 +
[https://tools.ietf.org/html/rfc8628 Oauth 2.0 Device flow] is the authorization scenario for those devices (like IBM i), that has no ability to display an authorization web page when making request to private data on resources with limited access. <br>
 +
[[File:Device-flow-scheme1.png|400px]]
 +
<br>
 +
Device flow scheme.
  
 +
(A) i2Rest Client initiates the flow with a request to the authorization server. The request incudes client identifier and requested scope.<br>
 +
(B) The authorization server responds with a device code, an end-user code and the verification URL.<br>
 +
(C) i2Rest Client displays an end-user code and the verification URL and thus instructs the end user to visit authorization page using a user agent on another device.<br>
 +
(D) The end-user follows provided verification URL on any browser capable device. The authorization server authenticates the resource owner and performs authorization dialog to determin either access will be granted or denied.<br>
 +
(E) i2Rest Client starts polling authorization server with device code to determine whether the user has authorized the request.<br>
 +
(F) The authorization server authenticates the client, performs validation of the device code, and, if access was granted by end user, responds with an access token.<br>
  
 +
==Device flow by i2Rest command==
 +
The next parameters are mandatory to perform request with Device flow by I2Rest command.<br>
  
The flow consists of the following steps:
+
{| class="wikitable"
 
+
! Keyword !! Parameter!! Description
 
+
|-
(A)  The client requests access from the authorization server and
+
|[[I2Rest_Client_command#AUTHMETHOD | AUTHMETHOD]] || Authentication method ||*OAUTH2D must be specified
        includes its client identifier in the request.
+
|-
 
+
|[[I2Rest_Client_command#COMAND| COMAND ]] || Request type || Any of available request type can be choosen
Your application sends a request to auth serv <code>OAuth2 authorization endpoint</code> that identifies the scopes that your application will request permission to access.
+
|-
With obtained on client registration
+
|[[I2Rest_Client_command#URL| URL ]] || API endpoint || HTTP resource to serve the request
 
+
|-
  (B) The authorization server issues a device code and an end-user
+
|[[I2Rest_Client_command#AUTHID| AUTHID]] || User/OAuth2 client/device ID ||rowspan="2"| Credentials to authenticate I2Rest Client with authorization server
        code and provides the end-user verification URI.
+
|-
The authorization server responds with a device code, end-user code and verification URI, to be shown to end-user.
+
|[[I2Rest_Client_command#AUTHPW| AUTHPW]] || User/OAuth2 client/dev passwd
 
+
|-
  (C)  The client instructs the end user to visit the provided end-user verification URI on any capabable device.  The
+
|[[I2Rest_Client_command#AUTHURL| AUTHURL ]] ||OAuth2 authorization endpoint ||  HTTP resource to be requested for an authorization URL and device code
        client provides the user with the end-user code to enter in
+
|-
        order to review the authorization request. .
+
|[[I2Rest_Client_command#TOKENURL| TOKENURL]] ||Token endpoint ||HTTP resource to be requested for an access token
 
+
|-
  (D) The authorization server authenticates the end user (via the
+
|[[I2Rest_Client_command#SCOPE| SCOPE]] || Scope || The set of resources and operations that are allowed to application with access token
        user agent), and prompts the user to input the user code
+
|-
        provided by the device client. The authorization server
+
|}
        validates the user code provided by the user, and prompts the
+
i2Rest command example bellow represents request for creating i2rest.doc file on Google Drive, please explore [[Device_flow_usecase_1|the appropriate use case]].
        user to accept or decline the request.
+
<pre>
        The user switches to a device with richer input capabilities, launches a web browser, navigates to the URL displayed in step 3 and enters a code that is also displayed in step 3. The user can then grant (or deny) access to your application.
+
I2REST COMMAND(*POST)                                      
 
+
      URL('https://www.googleapis.com/drive/v3/files')    
  (E) While the end user reviews the client's request (step D), the
+
      BODY(*N '{"name":"i2rest.doc"}'
        client repeatedly polls the authorization server to find out if
+
            'application/json' *YES 1208)
        the user completed the user authorization step. The client
+
      OUTPUT(*BOTH) 
        includes the device code and its client identifier. Your application starts polling Google's authorization server to determine whether the user has authorized your app.
+
      AUTHMETHOD(*OAUTH2D)                                    
 
+
      DCMCLIENT(MYCLIENT)                                 
  (F) The authorization server validates the device code provided by
+
      TOKENS('/tokens/tokens.usrspc')
        the client and responds with the access token if the client is
+
      AUTHID('<client ID>')                
        granted access, an error if they are denied access, or an
+
      AUTHPW('<client secret>')                 
        indication that the client should continue to poll.
+
      AUTHURL('https://oauth2.googleapis.com/device/code')
 
+
      TOKENURL('https://oauth2.googleapis.com/token')    
----
+
      SCOPE('https://www.googleapis.com/auth/drive.file')
[[I2Rest_Client|Back to i2Rest Client]]
+
</pre>

Latest revision as of 13:04, 9 September 2020

Overview

Oauth 2.0 Device flow is the authorization scenario for those devices (like IBM i), that has no ability to display an authorization web page when making request to private data on resources with limited access.
Device-flow-scheme1.png
Device flow scheme.

(A) i2Rest Client initiates the flow with a request to the authorization server. The request incudes client identifier and requested scope.
(B) The authorization server responds with a device code, an end-user code and the verification URL.
(C) i2Rest Client displays an end-user code and the verification URL and thus instructs the end user to visit authorization page using a user agent on another device.
(D) The end-user follows provided verification URL on any browser capable device. The authorization server authenticates the resource owner and performs authorization dialog to determin either access will be granted or denied.
(E) i2Rest Client starts polling authorization server with device code to determine whether the user has authorized the request.
(F) The authorization server authenticates the client, performs validation of the device code, and, if access was granted by end user, responds with an access token.

Device flow by i2Rest command

The next parameters are mandatory to perform request with Device flow by I2Rest command.

Keyword Parameter Description
AUTHMETHOD Authentication method *OAUTH2D must be specified
COMAND Request type Any of available request type can be choosen
URL API endpoint HTTP resource to serve the request
AUTHID User/OAuth2 client/device ID Credentials to authenticate I2Rest Client with authorization server
AUTHPW User/OAuth2 client/dev passwd
AUTHURL OAuth2 authorization endpoint HTTP resource to be requested for an authorization URL and device code
TOKENURL Token endpoint HTTP resource to be requested for an access token
SCOPE Scope The set of resources and operations that are allowed to application with access token

i2Rest command example bellow represents request for creating i2rest.doc file on Google Drive, please explore the appropriate use case. 

I2REST COMMAND(*POST)                                       
       URL('https://www.googleapis.com/drive/v3/files')     
       BODY(*N '{"name":"i2rest.doc"}' 
            'application/json' *YES 1208)
       OUTPUT(*BOTH)  
       AUTHMETHOD(*OAUTH2D)                                      
       DCMCLIENT(MYCLIENT)                                  
       TOKENS('/tokens/tokens.usrspc')
       AUTHID('<client ID>')                 
       AUTHPW('<client secret>')                   
       AUTHURL('https://oauth2.googleapis.com/device/code') 
       TOKENURL('https://oauth2.googleapis.com/token')      
       SCOPE('https://www.googleapis.com/auth/drive.file')
Retrieved from "https://www.i2rest.com/index.php?title=Device_flow_description&oldid=1862"