OAuth 2.0 Authorization
Hub implementation of OAuth 2.0 supports several authentication/authorization flow. To access resources of Hub itself and services connected to Hub, a client should obtain an access token. The flow that the client may use depends on:
- What information the client has (service credentials / user credentials).
- Where from the client access resources (from a browser / from the server side / from a standalone application).
- What Flow to Use?
- What Information You Should Have
- OAuth 2.0 Endpoints for Hub
- Register Client as a Service
What Flow to Use?
You develop... | Flow to use | Required parameters | Additional requirement |
---|---|---|---|
A rich client web application with all authorization logic in browser | Implicit flow | service id | Handle in browser request with a grant from Hub |
A web application with the authorization login on the server side | Authorization Code flow | service id , service secret | Handle request with a grant from Hub server on server side |
A desktop or a mobile application able to request authorization token non-interactively | Refresh Token flow | service id , service secret | Handle request with a grant from Hub server on server side |
A script that needs to access resources on behalf of itself | Client Credentials flow | service id , service secret | None |
A script that needs to access resources on behalf of some user | Resource Owner Password Credentials flow | service id , service secret , username and password | None |
What Information You Should Have
OAuth 2.0 Endpoints for Hub
For the Hub service, the OAuth 2.0 endpoints for authentication and token are:
- Authentication endpoint URL:
<Hub Service URL>/api/rest/oauth2/auth
- Token endpoint URL:
<Hub Service URL>/api/rest/oauth2/token
<Hub Service URL>
is the URL that is configured for the Hub service in your network environment.
For example, you have your company's server www.mycompany.com
and a Hub service. You can configure Hub to be accessible by www.mycompany.com/hub
or, let's say hub.mycompany.com
.
Subsequently, the OAuth 2.0 endpoints are as follows, respectively:
- For
www.mycompany.com/hub
:https://www.mycompany.com/hub/api/rest/oauth2/auth
andhttps://www.mycompany.com/hub/api/rest/oauth2/token
- For
hub.mycompany.com
:https://hub.mycompany.com/api/rest/oauth2/auth
andhttps://hub.mycompany.com/api/rest/oauth2/token
.
Register Client as a Service
To enable authorization you should register your client as a Hub service. You can do it either in
administrative UI or
programmatically.
Basically, you just send POST
request on /services
URL and get credentials of the newly
created service in response.
Sample script for registering client as a service
The following sample script considers Hub service to be installed to https://hub.company.com
and a client
OAuth 2.0 service - to https://myservice.company.com
.
Request
POST /api/rest/services?fields=id,secret HTTP/1.1
Host: hub.company.com
Accept: application/json
Content-Type: application/json
{
"name": "My Service",
"homeUrl": "https://myservice.company.com",
"redirectUris": ["https://myservice.company.com/authorized"],
"applicationName": "My Service",
"vendor": "Company Inc.",
"version": "1.0"
}
Response
{
"id": "98071167-004c-4ddf-ba37-5d4599fdf319",
"secret": "eAUyKgVfhSbV"
}
You can later use service's id
and secret
for authorization.
Service in Hub can be either trusted or not. If a service is trusted, then it can access Hub resource servers on behalf of itself. Also, when a user is sent from the trusted service to authorize himself, the user sees no additional warning.