Confidential clients
Learn how to allow confidential clients to connect to mobile services in a secure way. For example, you can grant a back-end service access to the Push service.
Overview
Confidential clients are clients that are capable of maintaining the confidentiality of their authentication credentials. You can use the MobileFirst authorization server to grant confidential clients access to protected resources, in accordance with the OAuth specification. This feature allows you to grant access to your resources to non-mobile clients, such as performance-testing applications. You begin by registering a confidential client with MobileFirst Server. As part of the registration, you provide the credentials of the confidential client, which consist of an ID and a secret. In addition, you set the client's allowed scope, which determines the scopes that can be granted to this client. When a registered confidential client requests an access token from the authorization server, the server authenticates the client by using the registered credentials, and verifies that the requested scope matches the client’s allowed scope.
Registering confidential clients
- Select Runtime Settings in the console navigation sidebar, and then select the Confidential Clients tab.
- Select Create New to register a new confidential client.
- In the Create Confidential Client dialog
window, provide the requested configuration parameters:
- Display Name - an optional display name that is used to refer to the confidential client. The default display name is the value of the ID parameter.
- ID - a unique identifier of the confidential client.
- Secret - the secret that is used to authenticate the identity of the client.
- Allowed Scope - the client's allowed scope. The scope
is a space-separated list of scope elements. See OAuth scopes.
An element of an allowed scope can also include the special asterisk wildcard character (*), which signifies any sequence of zero or more characters. For example, if the scope element is "send*", the confidential client can be granted access to scopes that contain any scope element that starts with "send", such as "sendMessage". The asterisk wildcard can be placed at any position within the scope element, and can also appear more than once.
An allowed-scope parameter that consists of a single asterisk character (*) indicates that the confidential client can be granted a token for any scope.
- Select Save. You can now see your new registered
client in the confidential-clients table.
You can delete clients or edit their registration information, at any time, by selecting the relevant action icon for the client entry in the table.
- "admin" and "push" - these clients are used for supporting push
notifications from the administration service. These clients are automatically
registered when the server starts with the push service enabled.Note: If you delete any of these clients, notifications from the administration service to the push service stop working until the server is restarted.
- "Test Client" - this client is preregistered with MobileFirst Development Server, and can be used for testing. The ID and secret of the Test Client confidential client are both "test", and the client has an unlimited allowed scope ("*").
Acquiring access tokens
http(s)://<server_ip>:<server_port>/<project_name>/api/az/v1/token
In
the request, include the HTTP authorization header. The authorization
server uses this header to authenticate the confidential client. Follow
these steps to construct the authorization header:- Create a string that consists of the client ID and secret, separated by a colon (:). For example, for a testClient ID and a testSecret secret, use the string testClient:testSecret.
- Encode the result string to Base64 format.
- Add the string "Basic " before the encoded Base64 string.
Authorization: Basic dGVzdENsaWVudDp0ZXN0U2VjcmV0
In
addition to the authorization header, add the following two parameters
to the request, using the application/x-www-form-urlencoded format:- grant_type - this value must be set to "client_credentials".
- scope - the requested scope, as a space-separated list of zero or more scope elements. See OAuth scopes.
{
"access_token": "eyJhbGciOiJSUzI1NiIsImp3ay",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "sendMessage"
}
For
more information about access tokens, see Access tokens.
For information about the access-token response, see Access-token response.Accessing protected resources
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ay