A lot of people don’t like to store credentials in mobile apps or browsers. A good workaround is the usage of OAuth 2.0 tokens, but the application needs to support it and the server you’re talking to too. The IBM Connections Mobile App can use it for authentication.
OAauth2 can be used directly with WebSphere Application Server and Connections 6.0. There are no special OAuth servers or applications needed!
The Documentation at IBM was a little bit confusing for me, there are lots of sidenotes, but you just need to do following steps, to use OAuth 2.0 token-based authentication with the IBM Connections Mobile App.
== Register Client
Open wsadmin and add the client identifier for the mobile app:
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
./wsadmin.sh -lang jython -username was-user -password password
execfile('oauthAdmin.py')
OAuthApplicationRegistrationService.addApplication("connections_social_mobile", "Connections Mobile", "com.ibm.ibmscp://com.ibm.mobile.connections/token")
Now open connectionsProvider.xml
in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/cellName/oauth20/
! Set the following value to true
:
<parameter name="oauth20.allow.public.clients" type="cc" customizable="true">
<value>true</value>
</parameter>
- Default is false here!
Now the OAuth Provider needs to be recreated (start command in Dmgr01/bin
):
Linux
./wsadmin.sh -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password
Windows
wsadmin.bat -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName d:/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password
The Documentation tells you to restart all Application Servers now. I would wait until you finished the mobile-config.xml
changes.
Enable OAuth in mobile-config.xml
mobile-config.xml
...
<!-- SECURITY SETTINGS SECTION -->
<SecuritySettings enabled="true">
<AuthType>OAuth</AuthType>
...
<OAuthAuthorizationURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/authorize</OAuthAuthorizationURL>
<OAuthTokenURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/token</OAuthTokenURL>
<OAuthClientId>connections_social_mobile</OAuthClientId>
...
Change <AuthType/> to this line
Change <OAuthAuthorizationURL/> to this line, change your CNX Hostname
Change <OAuthTokenURL/> to this line, change your CNX Hostname
Just as an information this name was used in the registration command in the first steps (Default)
When you sync the nodes and restart your application servers, the setting is immediately activated! So users already use the Connections Mobile app (with saved credentials) are logged out and need to reauthenticate in the web form for OAuth!
Mobile Client configuration
When you add your server to the mobile app, you get the login screen of your Connections environment after providing the server hostname:
Now the user needs to Grant the Access to the system.
I tested in a VPN environment and got messages that no profile can be found for my credentials, but reload always showed the content. I think this needs to be tested a little bit more!