Difference between revisions of "Configuring OAuth2 authorization"
Pavel.lobko (talk | contribs) |
Pavel.lobko (talk | contribs) |
||
| Line 77: | Line 77: | ||
}</span> | }</span> | ||
} | } | ||
| − | With "pcmls" object's <code> "valid_in_anonymous" : true</code> parameter unchanged, I2RESTECHO will be accessible to anonymous and authorized request. To allow only authorized requests, <code> "valid_in_anonymous" : false</code> should be set. | + | With "pcmls" object's <code> "valid_in_anonymous" : true</code> parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized request. To allow only authorized requests, <code> "valid_in_anonymous" : false</code> should be set. |
Revision as of 16:20, 30 June 2020
Unlike anonimous API call we performed in our quick start guide, authorized API call requires OAuth2 token with "run_program" scope and *local Session System defined.
- Step 1
- Register two users on IBM i.
- Step 2
- Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes:
<pcml version="1.0">
<program name="echo" path="/QSYS.LIB/%LIBL%.LIB/I2RESTECHO.PGM">
<data name="echo" usage="inputoutput" type="char" length="10" trim="both"/>
</program>
</pcml>
- Step 3
- Contact your system administrator for your IBM i server host name (or IP) and two available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Enter following text, replace host_name, ports, pcml_file, user (must be a regestered IBM i user) and client (must be a regestered IBM i user) with appropriate values. We will start with simplest non-encrypted connections, so please leave http as a protocol.
Basic configuration authorized API call variant (differences are highlighted in green):
{
"gates":
{
"main" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:1234)"},
"management" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:4321)"}
},
"session_systems":
[
{ "name" : "*ANONYMOUS",
"submit" : "SBMJOB JOB(I2RESTA) \
USER(${user}) \
CMD(CALL I2REST \
PARM('-session' \
'-url' '${surl}' \
'-uid' '${uid}' \
'-user' '${user}')) \
INLLIBL(I2REST)"
},
{ "name" : "*LOCAL",
"submit" : SBMJOB JOB(I2RESTS) \
USER(${user}) \
CMD(CALL I2REST \
PARM('-session' \
'-url' '${surl}' \
'-uid' '${uid}' \
'-user' '${user}')) \
'-init' 'ADDLIBLE I2REST'))" \
}
],
"pcmls":
[
{
"pcml_mount" : "echo",
"pcml_file" : "<complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)>",
"valid_in_anonymous" : true
}
],
"OAuth2":
{
"scopes":
{
"run_program" : {"description":"Authorized API call"}
},
"users":
{
"USRX":{"description":"John Johnes","valid_clients":{"TSTCLNT":{"scopes":["run_program"]}}}
},
"clients":
{
"TSTCLNT":{"redirect_uri":"<main gate URL>/oauth2/redirect",
"description":"Test client",
"valid_scopes":["run_program"],
"valid_grant_types":["authorization_code"]}
},
"tokens": {"type":"token"},"codes":{"type":"code"}
}
}
With "pcmls" object's "valid_in_anonymous" : true parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized request. To allow only authorized requests, "valid_in_anonymous" : false should be set.
