Generating an OAuth access token for an external application using IWA authentication (Retired) - SmartPlant Foundation - SmartPlant Foundation 2020 - Help - Hexagon PPM

SmartPlant Foundation and Web Client Modified and Retired Functionality

Language
English (United States)
Product
SmartPlant Foundation
Search by Category
Help
SmartPlant Foundation / SDx Version
10

The following trouble shooting topic applies only if you are using a software version before update 23.

You must configure an OAuth client application entry in the SmartPlant Foundation Authorization server with the required settings, such as the client name, client ID, redirect URI, and so on. However, the type of OAuth flow used by API Services for the external client must be set to AuthorizationCode.

You can configure access to the SmartPlant Foundation Web APIs from an external application using IWA authentication by applying the following example configuration steps to return the OAuth access token.

Issue an Authorization Code request

  1. From a browser, issue an Authorization Code request with the following completed fields:

    Parameter

    Description

    response_type

    The response_type should be set to code for this type of request. This results in the OAuth end-point returning an authorization code

    client_id

    The client_id obtained when requesting the OAuth application, which identifies the client application making the request

    redirect_uri

    The URL that the request is redirected to after access is granted by the user. This is the complete URL, which includes the protocol and port if applicable

    scope

    The comma-delimited set of permissions that the application requests

    state

    The parameter specified in the Authorization Code request that provides the state that might be useful to the application upon receipt of the response

    For example,

    https://[OAuthServer]/oauth/connect/authorize?response_type=code&client_id=SPFWC&redirect_uri=https://[Site]/oauthredirect.html&scope=ingr.api,openid&state=12345

    This authorization code request prompts the user for the authentication details in Smart API Manager.

  2. Specify the redirect URL parameters in the redirect_uri setting.

    Field

    Description

    code

    The authorization code

    state

    The parameter specified in the Authorization Code request

    The following example shows a successful response from an Authorization Code request.

    https://[Site]/oauthredirect.html?code=c6153bbf147c1fcc5f05ebbabee2d396&state=12345

Issue a Post operation to convert the code to a token

The code received in the application from the Authorization Code request is short lived and must be exchanged in the Authorization Code with an access token within a 60 second time frame using a Post request.

SHARED Tip You can configure the Authorization Code request time frame using the Authorization Code Lifetime setting in the authentication server.

  1. Create a POST request from the application to the /oauth/connect/token endpoint using the following form data:

    Field

    Description

    code

    The authorization code returned from the Authorization Code request

    client_id

    The same Smart Client ID obtained when requesting from the OAuth application

    client_secret

    The same Smart Client secret obtained when requesting from the OAuth application

    redirect_uri

    The same URL obtained by the Authorization Code request that the application is redirected to after access is granted by the user

    grant_type

    This is defined in the OAuth 2.0 specification. This field must contain the value authorization_code

    The following is an example Post request:

    POST: /oauth/connect/token HTTP/1.1

    With the content type set as follows:

    Content-Type: application/x-www-form-urlencoded

    With the body content set to the following:

    client_id = SPFWC

    client_secret = J747q/YsHEfWE@fnO(vG)u^ta4-k38p}

    redirect_uri = https://[Site]/oauthredirect.html

    grant_type = authorization_code

    code = c6153bbf147c1fcc5f05ebbabee2d39

  2. The response is returned as an access token that can be used in all subsequent authenticated requests to the Web API.

    The following is an example of a valid response with a Bearer token:

    {

    "access_token": "R1hPjq4vll3RVeGWhmiyPn1CpKhcVkJzXhDIB2wQ",

    "expires_in": 3600,

    "token_type": "Bearer"

    }