Spotfire® Server and Environment - Installation and Administration

register-api-client

Registers a new API client.

register-api-client 
[-b value | --bootstrap-config=value] 
[-t value | --tool-password=value]
<-n value | --name=value> 
{-Svalue}
[-p value | --client-profile=value]
[-a value | --token-endpoint-auth-method=value]
{-Gvalue} 
{-Rvalue} 
{-Cvalue}
{-Avalue} 
[-r <true|false> | --require-end-user-consent=<true|false>]

Overview

Use this command to register a new OAuth2 client that can access the public web service APIs. All information needed to use the client, including a client ID and a client secret, will be shown after successful completion of the command. To use this command at least one server in the collective must be running. The list-oauth2-clients command can be used to find the IDs of all existing clients. Registered clients can be deleted using the delete-oauth2-client command.

Options

Option Optional or Required Default Value Description
-b value
--bootstrap-config=value
Optional none The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file.
-t value
--tool-password=value
Optional none The configuration tool password used to decrypt the database password in the bootstrap.xml file. If the tool password is omitted, the command will prompt the end user for it on the console. See Bootstrap.xml file for more information.
-n value
--name=value
Required none The name of the client to be created. Only used for display purposes, not guaranteed to be unique.
-Svalue
Required none A scope (case sensitive) that the client should be authorized to request. Refer to the API documentation for valid values.

Can be specified multiple times with different values.

-p value
--client-profile=value
Optional other The client profile, can be one of web, user_agent, native, or other.
-a value
--token-endpoint-auth-method=value
Optional none when a client profile is native. Otherwise, client_secret_basic The token endpoint authentication method to use. Can be one of the following:
  • none
  • client_secret_basic
  • client_secret_post
Note: The Spotfire Server supports client_secret_jwt when acting as an OIDC client, but not when acting as an authorization server.
-Gvalue
Optional client_credentials

The value refresh_token can only be specified together with authorization_code.

The grant types that the client should be able to use. Can be one of the following:
  • authorization_code
  • client_credentials
  • refresh_token

The default value is client_credentials. The value refresh_token can be specified together only with authorization_code.

Can be specified multiple times with different values.

-Rvalue
Optional none An authorized redirect URI. Must be specified when using the authorization_code grant type, unless the client profile is native. Must be an absolute URI. Must have a protocol. Cannot contain a query or fragment component. The protocol must be https, unless the security.oauth2.server.client.redirect-uri-must-use-https configuration property is false.

Can be specified multiple times with different values.

-Cvalue
Optional none An authorized custom URI scheme. Can be specified only when the client profile is native.

Can be specified multiple times with different values.

-Avalue
Optional none An allowed HTTP (JavaScript) origin. Must be specified when the client profile is user_agent, and only then.

Can be specified multiple times with different values.

-r <true|false>
--require-end-user-consent=<true|false>
Optional The default value depends on the client profile (false for the client profile other, true for all other client profiles). Indicates whether the client should be required to request end-user consent (when using the authorization_code grant). This argument is optional.

If the security.oauth2.server.client.must-require-consent configuration property is true, then the value of this argument must be true unless the value of --client-profile is other.

Examples
In all examples below, the client wants to be able to perform uploads to the Spotfire library.
  • Register a client with the profile other (a headless application acting on its own behalf):
    register-api-client --name="Other client" -Sapi.rest.library.upload --client-profile=other -Gclient_credentials
  • Register a client with the profile web (a server-side web application), acting on behalf of an end-user:
    register-api-client --name="Web client" -Sapi.rest.library.upload --client-profile=web -Gauthorization_code -Rhttps://example.com/foo/return
  • Register a client with the profile web (a server-side web application), acting on behalf of an end-user, that may use long-lived refresh tokens (for continued access when the end-user is not present):
    register-api-client --name="Web client" -Sapi.rest.library.upload -Soffline --client-profile=web -Gauthorization_code -Grefresh_token -Rhttps://example.com/foo/return
  • Register a client with the profile native (for example, an iOS app), acting on behalf of an end-user, which should be allowed to make requests on behalf of the user without the user's explicit permission:
    register-api-client --name="Native client" -Sapi.rest.library.upload --client-profile=native -Gauthorization_code --require-end-user-consent=false
  • Register a client with the profile user_agent (a client-side web application), for use with the Spotfire JavaScript API:
    register-api-client --name="JavaScript API client" -Sapi.js-api -Soffline --client-profile=user_agent -Gauthorization_code -Grefresh_token -Ahttps://example.com -Rhttps://example.com/foo/return