-
Register your VDS Web Server as an ‘Authorization Server’.
-
Click the Security > API tab, and then click Authorization Servers > Add Authorization Server.
-
In the Add Authorization Server dialog, enter the details as shown in the following example:
Setting
Example
Description
Name
VDSWebAPI
The name of the authorization server
Audience
71FC520E-78DA-4EA7-96C1-164EA13FD5DO
This is a Globally Unique Identifier (GUID) that is generated using the GUID website http://new-guid.com. The GUID must be in upper case.
You must keep a record of the generated GUID as it is used as the Smart API Service ID scope for the authorization server.
Description
VDSWebAPI
The description of the authorization server
-
Click Save.
-
Click the Scopes tab, and then click Add Scope.
-
In the Add Scope dialog, set the service ID scope as shown in the following example:
Name
Description
Set as default scope
Include in public metadata
71FC520E-78DA-4EA7-96C1-164EA13FD5DO
VDS Web API ID Scope
No
Yes
The name must be the generated GUID for the authorization server.
-
Click Create.
-
In the Add Scope dialog, set the ingr.api scope as shown in the following example:
Name
Description
Set as default scope
Include in public metadata
ingr.api
ingr.api
No
Yes
-
Click Create. The two new scopes display in the Scopes tab.
-
Select the Claims tab and click Add Claim.
-
In the Add Claim dialog, set the claims as shown in the following example:
Name
Value
Scopes
Type
Included
sub
(appuser !=null) ? appuser.userName : app.clientid
Any
access
Always
ingr.session_id
String.replace(String.replace(String.replace(Time.now(), ":", ""), "-", ""), ".", "")
Any
access
Always
name
String.join("", user.firstName, user.lastName)
Any
access
Always
-
Click Create.
The sub claim on the generated token contains the user name you must use in your client application. The user name in your client application must match the name of the Okta user. When Okta employs users configured by an external identity provider, such as Active Directory, the users must be created in your client application before you can log on. Alternatively, you can create a default template user to avoid setting up each user.
-
Click the Access Policies tab, and then click Add New Access Policy.
-
In the Add Policy dialog, set the policy as shown in the following example:
Name
Description
Assign to
VDS Web API Access Policy
Access policy for GDS Web API
Your client application Web Client
Make sure your client application Web Client assigned to the policy is set up and working before you complete this configuration.
-
Click Create Policy.
-
Click Add Rule. Rules allow for the configuration of the token lifetime and expiration.
-
In the Add Rule dialog, set the rules as shown in the following example:
Option
Detail
Rule Name
VDS Web API Token Rule
IF Grant type is Client acting on behalf of itself
Client Credentials
IF Grant type is Client acting on behalf of a user
Authorization Code
Implicit
Resource Owner Password
AND User is
Any user assigned the application
AND Scopes requested
Any scopes
THEN Access token lifetime is
1 Hour
AND Refresh token lifetime is
Unlimited
BUT will expire if not used every
7 Days
-
Click Create Rule.
-
Record the Audience and the Issuer of the registered web API. You must have this information for a later step when editing the VDS Configuration Utility properties in Configure Security Settings for the VDS Web Server.
-
Make sure all client application and VDS APIs and all access policies are active. Inactive access policies can result in errors when you try to view the 3D model.