Use OAuth 2.0 token-based authentication with IBM Connections Mobile App

Created:
Last Update:
Author: Christoph Stoettner
Read in about 2 min · 387 words
HCL Connections OAuth Mobile

Fountain pen and a notebook

Photo by Aaron Burden | Unsplash

A lot of people don’t like to store credentials in mobile apps or browsers. A good workaround is the usage of OAuth 2.0 tokens, but the application needs to support it and the server you’re talking to too. The IBM Connections Mobile App can use it for authentication.

OAauth2 can be used directly with WebSphere Application Server and Connections 6.0. There are no special OAuth servers or applications needed!

The Documentation at IBM was a little bit confusing for me, there are lots of sidenotes, but you just need to do following steps, to use OAuth 2.0 token-based authentication with the IBM Connections Mobile App.

== Register Client

Open wsadmin and add the client identifier for the mobile app:

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin

./wsadmin.sh -lang jython -username was-user -password password

execfile('oauthAdmin.py')

OAuthApplicationRegistrationService.addApplication("connections_social_mobile", "Connections Mobile", "com.ibm.ibmscp://com.ibm.mobile.connections/token")

Now open connectionsProvider.xml in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/cellName/oauth20/! Set the following value to true:

<parameter name="oauth20.allow.public.clients" type="cc" customizable="true">
    <value>true</value>     
</parameter>
  • Default is false here!

Now the OAuth Provider needs to be recreated (start command in Dmgr01/bin):

Linux

./wsadmin.sh -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password

Windows

wsadmin.bat -lang jython -conntype SOAP -c "print AdminTask.createOAuthProvider('[-providerName connectionsProvider -fileName d:/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/nameCell01/oauth20/connectionsProvider.xml]')" -username wasadmin -password password

The Documentation tells you to restart all Application Servers now. I would wait until you finished the mobile-config.xml changes.

Enable OAuth in mobile-config.xml

mobile-config.xml

...
<!-- SECURITY SETTINGS SECTION -->
<SecuritySettings enabled="true">
    <AuthType>OAuth</AuthType>  
    ...
    <OAuthAuthorizationURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/authorize</OAuthAuthorizationURL>       

    <OAuthTokenURL>https://yourcnx-webserver-name/oauth2/endpoint/connectionsProvider/token</OAuthTokenURL>                           
    <OAuthClientId>connections_social_mobile</OAuthClientId> 
    ...

  • Change <AuthType/> to this line

  • Change <OAuthAuthorizationURL/> to this line, change your CNX Hostname

  • Change <OAuthTokenURL/> to this line, change your CNX Hostname

  • Just as an information this name was used in the registration command in the first steps (Default)

When you sync the nodes and restart your application servers, the setting is immediately activated! So users already use the Connections Mobile app (with saved credentials) are logged out and need to reauthenticate in the web form for OAuth!

Mobile Client configuration

When you add your server to the mobile app, you get the login screen of your Connections environment after providing the server hostname:

Login Form for Connections

Now the user needs to Grant the Access to the system.

Grant or Deny Access

Redirect to Mobile App

I tested in a VPN environment and got messages that no profile can be found for my credentials, but reload always showed the content. I think this needs to be tested a little bit more!

Author

Christoph Stoettner

I work at Vegard IT GmbH as a senior consultant with a focus on collaboration software, Kubernetes, security and automation. I mainly deal with HCL Connections, WebSphere Application Server, Kubernetes, Ansible, Terraform and Linux.

Sometimes my daily work results in technical talks and blog articles, which you can follow here more or less regularly. You can find the presentations in the main menu under public speaking .

I created a list of tools I use regularly, most of which have been released under an open source license.

In my spare time I read a lot, test all kinds of technical software and gadgets and try to follow about 200 RSS feeds.
Here you can find a collection of them.

This is my private blog, all opinions are my own.

           

Add a comment
Error
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Aaron Burden: Fountain pen and a notebook

Another new feature with IBM Connections 5.0 CR3

Within the fixlist of the new released CR3 of IBM Connections 5 there are several new configuration options mentioned. One of the interesting ones for me is the mobile update parameter AllowRemoveAccount. The default value is “false” and your Connections environment still works before, but what’s changed when you set this to true? The official documentation is already uptodate and shows us: When you set this option to true, accounts can be removed from a mobile device without requiring the user to login and without any authorization check. The user is asked to confirm the deletion of an account before it is removed.
Created:
Last Update: Read in about 3 min
Aaron Burden: Fountain pen and a notebook

IBM Connections Mobile Apps Update with CCM Support

Luis Benitez announced an update for the mobile applications of IBM Connections. Function is looking great. You can now view, approve and reject CCM Files with your mobile device. Screenshot from Socialize Me Read more: http://www.lbenitez.com/2013/11/ibm-connections-mobile-apps-updated.html
Created:
Last Update: Read in about 1 min
Aaron Burden: Fountain pen and a notebook

IBM releases CR1 for IBM Connections 4.0 and enable Mobile Admin

Today IBM released CR1 on IBM Fixcentral. CR1 is a set of 17 cumulative fixes and enable Mobile Admin (didn’t verified this, hope it will be there) too. Links for all CR1 Downloads (Multi OS Fixes) Fix list for IBM Connections 4.0 CR1 – Very long, seems to fix a lot IBM Connections 4.0 CR1 Post-install Deployment Configuration Steps Update strategy for IBM Connections 4.0 Cross-product relationship information You have to download 18 packages, because a new update installer is mandatory!
Created:
Last Update: Read in about 1 min