Use OAuth 2.0 token-based authentication with IBM Connections Mobile App

· by Christoph Stoettner · Read in about 2 min · (414 words)

A lot of people don’t like to store credentials in mobile apps or browsers. A good workaround is the usage of OAuth 2.0 tokens, but the application needs to support it and the server you’re talking to too. The IBM Connections Mobile App can use it for authentication.

OAauth2 can be used directly with WebSphere Application Server and Connections 6.0. There are no special OAuth servers or applications needed!

The Documentation at IBM was a little bit confusing for me, there are lots of sidenotes, but you just need to do following steps, to use OAuth 2.0 token-based authentication with the IBM Connections Mobile App.

Register Client

Open wsadmin and add the client identifier for the mobile app:

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin

./wsadmin.sh -lang jython -username was-user -password password

execfile('oauthAdmin.py')

OAuthApplicationRegistrationService.addApplication("connections_social_mobile", "Connections Mobile", "com.ibm.ibmscp://com.ibm.mobile.connections/token")

Now open connectionsProvider.xml in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/cellName/oauth20/! Set the following value to true:

<parameter name="oauth20.allow.public.clients" type="cc" customizable="true">
    <value>true</value>     (1)
</parameter>
1 Default is false here!

Now the OAuth Provider needs to be recreated (start command in Dmgr01/bin):

Linux
./wsadmin.sh -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password
Windows
wsadmin.bat -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName d:/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password
The Documentation tells you to restart all Application Servers now. I would wait until you finished the mobile-config.xml changes.

Enable OAuth in mobile-config.xml

mobile-config.xml
...
<!-- SECURITY SETTINGS SECTION -->
<SecuritySettings enabled="true">
    <AuthType>OAuth</AuthType>  (1)
    ...
    <OAuthAuthorizationURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/authorize</OAuthAuthorizationURL>       (2)

    <OAuthTokenURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/token</OAuthTokenURL>                           (3)
    <OAuthClientId>connections_social_mobile</OAuthClientId> (4)
    ...
1 Change <AuthType/> to this line
2 Change <OAuthAuthorizationURL/> to this line, change your CNX Hostname
3 Change <OAuthTokenURL/> to this line, change your CNX Hostname
4 Just as an information this name was used in the registration command in the first steps (Default)
When you sync the nodes and restart your application servers, the setting is immediately activated! So users already use the Connections Mobile app (with saved credentials) are logged out and need to reauthenticate in the web form for OAuth!

Mobile Client configuration

When you add your server to the mobile app, you get the login screen of your Connections environment after providing the server hostname:

oauth1
Figure 1. Login Form for Connections

Now the user needs to Grant the Access to the system.

oauth2
Figure 2. Grant or Deny Access
oauth3
Figure 3. Redirect to Mobile App
I tested in a VPN environment and got messages that no profile can be found for my credentials, but reload always showed the content. I think this needs to be tested a little bit more!