For now we are using client authentication only (no user name) and generating the bearer tokens manually. Eventually we will be using the more traditional methods to generate tokens, such as sending the user to authenticate with the Key Manger or passing along the SAML Assertion.
See https://docs.wso2.com/display/AM180/Token+API
Setup - Subscribe to the API & Generate Keys
To generate the token one must first subscribe, subsequently you can just "regenerate" the token.
- Access the API store via https://api-dev.ucsd.edu/store (for now you have to make a hosts file change to skip the LB and you have to use port 9443 for this to work.)
- Create and Application (or use your "default application".
- Select the WebReg API and subscribe your application.
- View your subscriptions and Generate a production key (I'm not sure if sandbox will work).
- The token that is generated should be used by your code to access the API. (This token is good for an hour, you can regenerate the token when you need or we can change the duration in the DB if necessary)
...
Code Block | ||
---|---|---|
| ||
curl -d "grant_type=client_credentials" -H "Authorization: Basic VDdnbXRrVWdFaGlWRHo1djJlNTNKeEpSSnQ4YTpEVUpVN0dwNFNHOHhJa0ZHRF8zUzk4UUVDYmth, Content-Type: application/x-www-form-urlencoded" https://api-dev.ucsd.edu:8243/oauth2/token |
The element after Authorization: Basic is the Consumer Key and Consumer Secret separated by a :, base64 and url encoded. Invoking this command should get a new bearer token:
...
- Register your applications Callback URL (https://api-dev.ucsd.edu:9443/store/site/pages/applications.jag scroll to bottom, click edit on your application). This is where the browser will be sent once the token is retrieved. For testing it doesn't need to actually work, we can check the browsers info to verify the token is generated.
- Open a browser to http://api-dev.ucsd.edu:8280/authorize?
response_type=code&client_id=
T7gmtkUgEhiVDz5v2e53JxJRJt8a&scope=TEST&redirect_uri=
http://localhost/myApp after replacing the ConsumerKey and the RedirectURI (with your callback url, they must match). - Check the location that your browser was sent to, it should be something like: http://localhost/myApp?code=bd77892b4953c49376cbc31ed7d9c55
...
For more information, refer to blog at http://soasecurity.org/2014/10/31/saml2-bearer-assertion-profile-for-oauth-2-0/