Updating the OAuth2 Client for Services
To use an OAuth2 client for secure access to your Predix Platform service instance from your application, you must update your OAuth2 client to add additional authorities or scopes that are specific to each service.
About this task
To enable your application to access a platform service, your JSON Web Token (JWT) must contain the scopes required for a platform service. For example, some of the scope required for Access Control service are acs.policies.read acs.policies.write.
The OAuth2 client uses an authorization grant to request an access token. Based on the type of authorization grant that you have used, you must update your OAuth2 client to generate the required JWT. For more information on how the OAuth2 client is created, see Creating OAuth2 client.
If you use the UAA Dashboard to create additional clients, the client is created for the default client_credentials grant type. Some required authorities and scopes are automatically added to the client. You must add additional authorities or scopes that are specific to each service.
In addition, the admin client is not assigned the default authority to change the user password. To change the user password, you must add the uaa.admin authority to your admin client.
Use the following procedure to update the OAuth2 client.
Procedure
- In the Console view, select the Space where your services are located.
- In the Services Instances page, select the UAA instance to configure.
- Select the Configure Service Instance option.
- In the UAA Dashboard login page, specify your admin client secret and click Login.
- In UAA Dashboard, select the Client Management tab.The Client Management tab has two views, Clients and Services. The Services view displays the service instances that you have created for your services.Note: The service instances displayed in the Services view are the instances that you created using the UAA that you are trying to configure. The service instances that you created using some other UAA instance are not displayed on this page.
- Select the Switch to Services View option.
- In the Services view, select the service that you need to update.
- Choose an existing client or choose the Create a new client option. If you chose to create a new client, follow the steps in t_creating_an_oauth_client.html#task_79a81b74-552e-4f74-abfc-bd37e6adac87.
- Click Submit.
- Click on the Switch to Clients View option.
- In the Clients view, click the edit icon corresponding to the client added in the previous step.
- Complete the Edit Client form.
Field Description Authorized Grant Types Choose one or more of the following grant types: - authorization_code
When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code.
- client_credentials
When you use the client credentials grant type, the OAuth2 endpoint in UAA accepts the client ID and client secret and provides Access Tokens.
- password
When you use the resource owner password credentials grant type, the OAuth2 endpoint in UAA accepts the username and password and provides Access Tokens.
- refresh_token
The refresh tokens are credentials used to obtain access tokens. You can choose this option to obtain refresh token from UAA. You can then use the refresh token to obtain a new access token from UAA when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.
- implicit
When you use the implicit grant type, UAA directly issues an Access Token to the client without authenticating the client. This reduces the number of round trips required to obtain an access token.
For more information on grant types, see RFC 6749.
Redirect URI Specify a redirect URI to redirect the client after login (for example, http://example-app.com/welcome).This URI is used when you start using UAA as service provider for your external Identify provider.
Scopes By default, the client is assigned a few required scopes. For a new client, an administrator can select the scopes to be added based on the selected grant type. If you select the
authorization_code,passwordandimplicitgrant type, you must update the scopes with service specific scopes.For a complete list of required scopes, see r_authorities_or_scopes_required_for_services.html#reference_ec1_t3d_bx.
For a list of available UAA scopes, see Scopes Authorized by the UAA.
Authorities By default, the client is assigned a few required authorities. For a new client, an administrator can select the authorities to be added based on the selected grant type. If you select the
client_credentialsgrant type, you must update the authorities with service specific authorities.For a complete list of scopes to be added for each service, see r_authorities_or_scopes_required_for_services.html#reference_ec1_t3d_bx.
For a list of available UAA authorities, see Scopes Authorized by the UAA.
Auto Approved Scopes Specify scopes that can be approved automatically for the client without explicit approval from the resource owner. Allowed Providers Specify the names of the external identity providers, if any. This field is required if you are using external identity providers with UAA as a service provider. Access Token Validity Specifies the access token expiration time in ms. Refresh Token Validity Specifies the refresh token expiration time in ms. - authorization_code
What to do next
You can complete the following additional tasks in UAA Dashboard:
- If you are using authorization grant type as Authorization Code, Implicit, or Resource Owner Password, you can manage users in UAA.
- You can create password policies for user passwords.
- You can set up external identity provider or use UAA as an identity provider. See Managing Identity Providers.
If you have completed your OAuth2 client setup, you can bind your application to your service instance.