Difference between revisions of "Configuring OAuth2 authorization"
m |
|||
| Line 2: | Line 2: | ||
;Step 1 | ;Step 1 | ||
| − | :Register two users on IBM i. | + | :Register two users on IBM i. One will be used as a demonstrative OAuth2 resource owner, and the second one as an OAuth2 client. |
;Step 2 | ;Step 2 | ||
| − | :Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes: | + | :''This step is the same as in the basic example. You can skip this step if you've done the basic scenario.''<br/>Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes: |
<pre> | <pre> | ||
<pcml version="1.0"> | <pcml version="1.0"> | ||
| Line 16: | Line 16: | ||
;Step 3 | ;Step 3 | ||
| − | :Contact your system administrator for your IBM i server host name (or IP) and ''two'' available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Enter following text, replace host_name, ports, pcml_file, user ( | + | :Contact your system administrator for your IBM i server host name (or IP) and ''two'' available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Enter following text, replace host_name, ports, pcml_file, user (resource owner) and client (highlighted with <b>bold</b>) with appropriate values. We will start with simplest non-encrypted connections, so please leave http as a protocol.<br/>For clarity, differences with [[I2Rest_quick_config|Basic configuration]] are highlighted in <span style="background:#D3D3D3;">gray</span>: |
| − | [[I2Rest_quick_config|Basic configuration]] | ||
| Line 37: | Line 36: | ||
'-user' '${user}')) \ | '-user' '${user}')) \ | ||
INLLIBL(I2REST)" | INLLIBL(I2REST)" | ||
| − | } | + | }<span style="background:#D3D3D3;">, |
| − | + | { "name" : "*LOCAL", | |
"submit" : SBMJOB JOB(I2RESTS) \ | "submit" : SBMJOB JOB(I2RESTS) \ | ||
USER(${user}) \ | USER(${user}) \ | ||
| Line 53: | Line 52: | ||
{ | { | ||
"pcml_mount" : "echo", | "pcml_mount" : "echo", | ||
| − | "pcml_file" : "< | + | "pcml_file" : "<b><complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)></b>", |
"valid_in_anonymous" : true | "valid_in_anonymous" : true | ||
} | } | ||
| − | ] | + | ]<span style="background:#D3D3D3;">, |
| − | + | "OAuth2": | |
{ | { | ||
"scopes": | "scopes": | ||
| Line 65: | Line 64: | ||
"users": | "users": | ||
{ | { | ||
| − | "< | + | "<b>USRX</b>":{"description":"<b>John Johnes</b>","valid_clients":{"<b>TSTCLNT</b>":{"scopes":["run_program"]}}} |
}, | }, | ||
"clients": | "clients": | ||
{ | { | ||
| − | "< | + | "<b>TSTCLNT</b>":{"redirect_uri":"<b><main gate URL></b>/oauth2/redirect", |
"description":"Test client", | "description":"Test client", | ||
"valid_scopes":["run_program"], | "valid_scopes":["run_program"], | ||
| Line 77: | Line 76: | ||
}</span> | }</span> | ||
} | } | ||
| − | With "pcmls" object's <code> "valid_in_anonymous" : true</code> parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized | + | With "pcmls" object's <code> "valid_in_anonymous" : true</code> parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized requests. To allow only authorized requests, set <code>"valid_in_anonymous" : false</code> and remove definition of <code>"*ANONYMOUS"</code> session system.<br/> |
Now you can update your [[I2Rest_Basic_Test#SOAP_UI|SoapUI I2RESTECHO test project]] with [[Auth_profile_SoapUI|Authorization profile]] and perform your authorized API call. | Now you can update your [[I2Rest_Basic_Test#SOAP_UI|SoapUI I2RESTECHO test project]] with [[Auth_profile_SoapUI|Authorization profile]] and perform your authorized API call. | ||
Revision as of 09:52, 8 July 2020
Unlike anonymous API call we performed in our quick start guide, authorized API call requires OAuth2 token with "run_program" scope and *local Session System defined.
- Step 1
- Register two users on IBM i. One will be used as a demonstrative OAuth2 resource owner, and the second one as an OAuth2 client.
- Step 2
- This step is the same as in the basic example. You can skip this step if you've done the basic scenario.
Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes:
<pcml version="1.0">
<program name="echo" path="/QSYS.LIB/%LIBL%.LIB/I2RESTECHO.PGM">
<data name="echo" usage="inputoutput" type="char" length="10" trim="both"/>
</program>
</pcml>
- Step 3
- Contact your system administrator for your IBM i server host name (or IP) and two available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Enter following text, replace host_name, ports, pcml_file, user (resource owner) and client (highlighted with bold) with appropriate values. We will start with simplest non-encrypted connections, so please leave http as a protocol.
For clarity, differences with Basic configuration are highlighted in gray:
{
"gates":
{
"main" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:1234)"},
"management" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:4321)"}
},
"session_systems":
[
{ "name" : "*ANONYMOUS",
"submit" : "SBMJOB JOB(I2RESTA) \
USER(${user}) \
CMD(CALL I2REST \
PARM('-session' \
'-url' '${surl}' \
'-uid' '${uid}' \
'-user' '${user}')) \
INLLIBL(I2REST)"
},
{ "name" : "*LOCAL",
"submit" : SBMJOB JOB(I2RESTS) \
USER(${user}) \
CMD(CALL I2REST \
PARM('-session' \
'-url' '${surl}' \
'-uid' '${uid}' \
'-user' '${user}')) \
'-init' 'ADDLIBLE I2REST'))" \
}
],
"pcmls":
[
{
"pcml_mount" : "echo",
"pcml_file" : "<complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)>",
"valid_in_anonymous" : true
}
],
"OAuth2":
{
"scopes":
{
"run_program" : {"description":"Authorized API call"}
},
"users":
{
"USRX":{"description":"John Johnes","valid_clients":{"TSTCLNT":{"scopes":["run_program"]}}}
},
"clients":
{
"TSTCLNT":{"redirect_uri":"<main gate URL>/oauth2/redirect",
"description":"Test client",
"valid_scopes":["run_program"],
"valid_grant_types":["authorization_code"]}
},
"tokens": {"type":"token"},"codes":{"type":"code"}
}
}
With "pcmls" object's "valid_in_anonymous" : true parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized requests. To allow only authorized requests, set "valid_in_anonymous" : false and remove definition of "*ANONYMOUS" session system.
Now you can update your SoapUI I2RESTECHO test project with Authorization profile and perform your authorized API call.
