Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved


Chapter 13 OAuth Server : OAuth Server Endpoints
OAuth Server Endpoints
This section explains various endpoints to access the OAuth server for access token management.
Transport and Port
The OAuth server provides both HTTP and HTTPS transport for the endpoints. In production environments, HTTPS is recommended to provide the transport level security.
* 
By default, the ports for the HTTP and HTTPS transports are enabled with default values as 9322 and 9333 respectively.
If required, change the default value of the ports as follows:
Table 119 OAuth Server Transport and Port
Parameter
Config UI Field
Runtime Property
HTTP Port
Set the Transport scheme to HTTP as follows:
Gateway Engine Properties > Security > OAuth > Transport Scheme
Set the Port as follows:
Gateway Engine Properties > Security > OAuth > Port
Set in the ASG_CONFIG_HOME/asg.properties file.
The default value is 9322.
tibco.clientVar.DefaultImplementation/Connections/HTTP/OAuthWebappsConnection/Port
HTTPS Port
Set the Transport scheme to HTTPS as follows:
Gateway Engine Properties > Security > OAuth > Transport Scheme
Set the Port as follows:
Gateway Engine Properties > Security > OAuth WebApps SSL > Port
Set in the ASG_CONFIG_HOME/asg.properties file.
The default value is 9333.
tibco.clientVar.DefaultImplementation/Connections/HTTP/OAuthWebappsSSLConnection/Port
 
* 
If you use HTTPS transport, set the SSL properties listed using the Config UI as follows:
On the home page of Config UI, go to Gateway Engine Properties > Security > OAuth WebApps SSL.
Set the OAuth SSL properties. See OAuth WebApps SSL for details
Request Access Token
You must request an access token to access the OAuth enabled target services.
Based on the type of OAuth flow, the endpoint to request an access token requires different parameters. See Token Request API for details.
The following are the endpoints for each supported flow:
Client Credential Flow
The client credential flow is used when you want to access the target services using any trusted application. See Client Credential for details.
The client credential flow requires the following information to send an access token request:
Client ID
Client Secret
grant_type
Use the following endpoint to request an access token:
Table 120 Token Request Endpoint for Client Credential Flow
Method
URL
POST
http://ASGServerHost:httpPort/asg/oauth2/access_token?grant_type=client&client_id=CLIENT_ID_VALUE&client_secret=CLIENT_SECRET_VALUE
For example,
http://demoserverapi.tibco.com:9322/asg/oauth2/access_token?grant_type=client&client_id=237-924f4a26-f1a5-4934-a17a-69c22bd52dbe&client_secret=809950e0-c21c-4f84-8dab-239dba1c3187
where,
ASGServerHost is the machine running the Core Engine.
httpPort is the port value for HTTP transport.
CLIENT_ID_VALUE is the client ID of the registered application.
CLIENT_SECRET_VALUE is the client secret of the registered application.
Password Credential Flow
The password flow is used when you want to access the target services from an application that requires a username and password. When any application such as a web or mobile application is launched, and prompts for a username and password, the user credentials are verified by an identity service provider and exchanged for an access token.
The OAuth server validates the credentials before issuing the access token. After the access token is issued, the access token is the key to access the target services.
See Password Credential for details.
The password credential flow requires the following information to send an access token request:
Client ID
Client Secret
Username
Password
grant_type
Use the following endpoint to request an access token:
Table 121 Token Request Endpoint for Password Flow
Method
URL
POST
http://ASGServerHost:httpPort/asg/oauth2/access_token?grant_type=password&client_id=CLIENT_ID_VALUE&client_secret=CLIENT_SECRET_VALUE&username=USERNAME&password=PASSWORD
For example,
http://demoserverapi.tibco.com:9322/asg/oauth2/access_token?grant_type=client&client_id=237-924f4a26-f1a5-4934-a17a-69c22bd52dbe&client_secret=809950e0-c21c-4f84-8dab-239dba1c3187&username=john123&password=asgoauth2014
where,
ASGServerHost is the machine running the Core Engine.
httpPort is the port value for HTTP transport.
CLIENT_ID_VALUE is the client ID of the registerted application.
CLIENT_SECRET_VALUE is the client secret of the registerted application.
USERNAME is the username required for application.
PASSWORD is the password required for application.
Authorization Code Flow
To request an access token using the authorization code flow, an authorization code is required.
See Authorization Code for details.
The following steps are required to process the access token request for authorization code flow:
1.
Request an authorization code
The access token request requires a authorization code. Use the following endpoint to request an authorization code:
Table 122 Authorization Code Request Endpoint for Authorization Code Flow
Method
URL
POST
http://ASGServerHost:httpPort/asg/oauth2/authorize?response_type=code&client_id=CLIENT_ID_VALUE&client_secret=CLIENT_SECRET_VALUE&state=STATE_VALUE&redirect_uri=REDIRECT_URL_VALUE
For example,
http://ASGServerHost:httpPort/asg/oauth2/authorize?response_type=code&client_id=237-924f4a26-f1a5-4934-a17a-69c22bd52dbe&client_secret=809950e0-c21c-4f84-8dab-239dba1c3187&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
2.
Request an access token
The authorization code flow requires the following information to send an access token request:
Client ID
Client Secret
Authorization code
Redirect URL
grant_type
After the authorization code is returned, use the following endpoint to request an access token:
Table 123 Token Request Endpoint for Authorization Code Flow
Method
URL
POST
http://ASGServerHost:httpPort/asg/oauth2/access_token?grant_type=authorization_code&client_id=CLIENT_ID_VALUE&client_secret=CLIENT_SECRET_VALUE&code=AUTH_CODE_VALUE&redirect_uri=REDIRECT_URL_VALUE
For example,
http://ASGServerHost:httpPort/asg/oauth2/access_token?grant_type=authorization_code&client_id=237-924f4a26-f1a5-4934-a17a-69c22bd52dbe&client_secret=809950e0-c21c-4f84-8dab-239dba1c3187&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
where,
ASGServerHost is the machine running the Core Engine..
httpPort is the port value for HTTP transport.
CLIENT_ID_VALUE is the client ID of the registerted application.
CLIENT_SECRET_VALUE is the client secret of the registerted application.
STATE_VALUE is an arbitrary string that is returned in the callback.
AUTH_CODE_VALUE is the authorization code.
REDIRECT_URL_VALUE is the URL of the third party application which performs the authentication process.
Access Token Response Example
The response for the access token request contains the following information:
Access Token
Refresh token (Optional)
Expiry information for access token
Authorization grant type
Additional information depending on the used OAuth flow.
Sample Response
For example, the successful response for password credential flow is returned as follows:
 
Response:
 
{
"expires_in": 3600,
"token_type": "Bearer",
"refresh_token": "T1amGR21.IdKM.5ecbf91162691e15913582bf2662e0",
"access_token": "T1amGT21.Idup.298885bf38e99053dca3434eb59c6aa"
}
 
Access Token Error Example
For example, the following is an error response returned for an access token request which contains incorrect grant type:
Sample Response
For example, the error response is returned as follows:
 
Invalid Response: 400 Bad Request
 
{
"error": "invalid_grant",
"error_description": "Invalid username or password"
}
 
Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved