Difference between revisions of "Configuring OAuth2 authorization"

Unlike anonymous API call we performed in our quick start guide, authorized API call requires OAuth2 token with "run_program" scope and *local Session System defined.

Step 1

Register two users on IBM i. The first will be used as a demonstrative OAuth2 resource owner, and the second one as an OAuth2 client.

Step 2

This step is the same as in the basic example. You can skip this step if you've done the basic scenario.
Create text file named I2RESTECHO.PCML anywhere on IFS, for example "/tmp/PCML/i2restecho.pcml". Copy and paste following code. It represents a description for the sample program I2RESTECHO, that is included into i2Rest Server installation for demonstration purposes:

<pcml version="1.0">

   <program name="echo" path="/QSYS.LIB/%LIBL%.LIB/I2RESTECHO.PGM">
      <data name="echo" usage="inputoutput" type="char" length="10" trim="both"/>
   </program>

</pcml>

Step 3

Contact your system administrator for your IBM i server host name (or IP) and two available ports for "main" and "management" gates of your first i2Rest Server instance. Create file config.json (you can name it with any name and put it into any available IFS folder). Сopy and paste the snippet bellow. Replace with appropriate values highlighted with bold parts:host_name, ports, pcml_file, user (resource owner) and client. We will start with simplest non-encrypted connections, so please leave http as a protocol.
For clarity, differences with Basic configuration are highlighted in gray:

{
   "gates":
   {
      "main"       : {"url":"http://<host_name>[:port] (for example api.i2rest.com:1234)"},
      "management" : {"url":"http://<host_name>[:port] (for example api.i2rest.com:4321)"}
   },
   "session_systems":
   [
      {  "name"   : "*ANONYMOUS", 
         "submit" : "SBMJOB JOB(I2RESTA)                \
                            USER(${user})               \
                            CMD(CALL I2REST             \
                               PARM('-session'          \
                                    '-url' '${surl}'    \
                                    '-uid' '${uid}'     \
                                    '-user' '${user}')) \
                            INLLIBL(I2REST)"
      },
      {  "name"   : "*LOCAL",
         "submit" : SBMJOB JOB(I2RESTS)                             \
                           USER(${user})                            \
                           CMD(CALL I2REST                          \
                              PARM('-session'                       \
                                    '-url' '${surl}'                \
                                    '-uid' '${uid}'                 \
                                    '-user' '${user}'))             \
                                    '-init' 'ADDLIBLE I2REST'))"    \
      } 
   ],
   "pcmls":
   [
      {
         "pcml_mount"         : "echo",
         "pcml_file"          : "<complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)>", 
         "valid_in_anonymous" : true
      }
   ],
   "OAuth2":
   {
      "scopes":
      {
         "run_program" : {"description":"Authorized API call"}
      },
      "users":
      {
         "USRX":{"description":"John Johnes","valid_clients":{"TSTCLNT":{"scopes":["run_program"]}}}
      },
      "clients":
      {
         "TSTCLNT":{"redirect_uri":"<main gate URL>/oauth2/redirect", 
                   "description":"Test client", 
                   "valid_scopes":["run_program"],
                   "valid_grant_types":["authorization_code"]}
      },
      "tokens": {"type":"token"},"codes":{"type":"code"}
   } 
}

With "pcmls" object's "valid_in_anonymous" : true parameter unchanged, I2RESTECHO will be accessible to both anonymous and authorized requests. To allow only authorized requests, set "valid_in_anonymous" : false and remove definition of "*ANONYMOUS" session system.
Now you can update your SoapUI I2RESTECHO test project with Authorization profile and perform your authorized API call.