OAuth 2.0 has become the defacto way to authenticate to IBM Connections and cloud services such as IBM Connections Cloud, Google and SalesForce and is *the* way to bridge systems. Despite being very powerful surprisingly few IBM Connections developers actually know of it or enough about it. OAuth 2.0 has been in IBM Connections for many releases and allows other services or API programs to impersonate users – and hence work as the user – without the user relinquishing control of their credentials. It’s very powerful stuff. This session acts as a primer on OAuth 2.0 for developers and administrators teaching you the ropes as well as teaching developers how to start utilizing OAuth 2.0 for IBM Connections on-premises as well as for IBM Connections Cloud. If you are developing for IBM Connections this is for you. Be warned – there will be code…
5. The problem we are trying to solve
Give me your Social
site username and
password and we can
play…
6. The problem we are trying to solve
Doesn’t really trust that
shiny new site – or IBM
Connec>ons for that
ma@er…
Give me your Social
site username and
password and we can
play…
7. The problem we are trying to solve
I support OAuth 2.0
and don’t want your
creden>als – just
authorize me to work
on your behalf…
24. 2) The site checks to see if it has Tokens for the Provider
in its credenGal store
CLIENT
PROVIDER
USER
2
25. 3) The site sends a redirecGon to the client telling it to
go authorize it at the Provider. The URL contains the
Client redirect_uri and client_id
CLIENT
PROVIDER
USER
3
26. 4) The user use the redirect URL and go the provider
and log ins if not already logged in. Then he authorizes
the Client
CLIENT
PROVIDER
USER
4
27. 5) The Provider returns a Gme limited
authorizaGon_code in a redirecGon URL to the user
CLIENT
PROVIDER
USER
5
28. 6) The User sends the authorizaGon_code to the Client
CLIENT
PROVIDER
USER
6
29. 7) Out-of-band the Client sends the authorizaGon_code,
it’s client_id, redirect_uri and secret to the Provider
CLIENT
PROVIDER
USER
7
30. 8) The Provider exchange the authorizaGon_code for a
short lived access_token (yellow) and a longer lived
refresh_token (blue)
CLIENT
PROVIDER
USER
8
31. 9) When the User now access the site it can use the
access_token to work as the User. Even if the user is not
there i.e. not logged into the site…
CLIENT
PROVIDER
USER
9