Authenticating with OAuth 2.0

Following are the four options for FTL clients

  • Client credentials grant: pass the oauth2 token endpoint, client id, client secret, and (if needed) trust file to the realm connect call. The FTL library will fetch and refresh the token as needed. For example, in C API, pass the following to tibRealm_Connect

    • TIB_REALM_PROPERTY_STRING_OAUTH2_SERVER_URL,

    • TIB_REALM_PROPERTY_STRING_OAUTH2_CLIENT_ID

    • TIB_REALM_PROPERTY_STRING_OAUTH2_CLIENT_SECRET,

    • TIB_REALM_PROPERTY_STRING_OAUTH2_SERVER_TRUST_FILE, if needed.

  • Password credentials grant: in addition to the parameters for client credentials grant, pass a username and password to the realm connect call. The FTL library will fetch and refresh the token as needed. For example, in C API, in addition to the above parameters, pass TIB_REALM_PROPERTY_STRING_USERNAME” and TIB_REALM_PROPERTY_STRING_USERPASSWORD to tibRealm_Connect.

  • Long-lived access token: pass an oauth2 access token (a signed JWT) directly to the realm connect call. The token must be valid for the lifetime of the application. For example, in C API, pass TIB_REALM_PROPERTY_STRING_OAUTH2_ACCESS_TOKEN to tibRealm_Connect

  • Access token callback: set a callback in the properties object. The callback will be invoked by the FTL library whenever a new token is needed. For example, in C API, call tibProperties_SetOAuth2TokenFetchCallback” and pass the properties object to tibRealm_Connect.

eFTL clients: there are four choices. Authentication with oauth2 is not supported for the javascript or python API.

  • Client credentials grant: pass the oauth2 token endpoint, client id, client secret, and (if needed) trust file to the connect call. The eFTL library will fetch and refresh the token as needed. For example, in C API, set the oAuth2ServerUrl, oAuth2ClientId, oAuth2ClientSecret”, and oAuth2TrustStore options when calling tibeftl_Connect.

  • Password credentials grant: in addition to the parameters for client credentials grant, pass a username and password to the connect call. The eFTL library will fetch and refresh the token as needed. For example, in C API, in addition to the above parameters, set “username” and “password” when calling “tibeftl_Connect”.

  • Long-lived access token: pass an oauth2 access token (a signed JWT) directly to the connect call. The token must be valid for the lifetime of the application. For example, in C API, set the oAuth2AccessToken option when calling tibeftl_Connect.

  • Access token callback: pass a callback to the connect call. The callback will be invoked by the eFTL library whenever a new token is needed. For example, in C API, set the “oAuth2TokenFetchCallback and oAuth2TokenFetchCallbackArg options when calling tibeftl_Connect.

FTL servers: there are three choices. See “Authenticating to other FTL Servers” in FTL Server Configuration Parameters

  • Client credentials grant: in the yaml configuration file, set oauth2.svr.endpoint.token, oauth2.svr.client.id”, oauth2.svr.client.secret and (if needed) oauth2.provider.trust.file in the “ftlserver.properties” section for each FTL server.

  • Password credentials grant: in addition to the parameters for client credentials grant, set “user” and “password” in the “ftlserver.properties” section for each FTL server.

  • Long-lived access token: in the yaml configuration file, set “oauth2.access.token” (a signed JWT) in the “ftlserver.properties” section for each FTL server. The token must be valid for the lifetime of the FTL server.

Administrative tools:

  • Single sign-on may be configured for the UI. See “Single Sign-On with OAuth2” in FTL Server Configuration Parameters

  • For the REST API, include an “Authorization” header in HTTP requests. <token> must be a signed JWT.

Authorization: Bearer <token>

  • If using “tibftladmin”, specify the “--oauth2.token” command line parameter (a signed JWT). See FTL Administration Utility.