CloudStreams 11.1 | IBM webMethods CloudStreams Documentation | Administering webMethods CloudStreams | Cloud Connections, Services, and Connector Listeners | Generating OAuth 2.0 Tokens while configuring connections
 
Generating OAuth 2.0 Tokens while configuring connections
In CloudStreams v10.3 and earlier releases, you could not generate Access Tokens required to configure the connection for OAuth 2.0 authorization. From the CloudStreams v10.4 release, for some connectors such as Salesforce CRM v44, you can generate the OAuth 2.0 Access Token while creating a new connection or while editing an existing connection from the connection configuration page in IBM webMethods Integration Server Administrator.
Approaches for generating OAuth 2.0 tokens
*Authorization Code Flow – An OAuth 2.0 flow that is used to grant an access token to server-hosted applications. In this flow, CloudStreams opens the web page for authorization, and after authorization, redirects the authorization code to CloudStreams.
*JSON Web Token (JWT) Flow – Authorization by a signed JSON Web Token (JWT).
*JSON Web Token (JWT) Client Assertion Flow - This is a variant of the OAuth 2.0 client credentials grant flow that incorporates JSON Web Tokens (JWTs) for authenticating the client. In this flow, the client generates a JWT assertion that integrates its client credentials (like the client ID and subject), and subsequently signs it digitally using a private key. This signed assertion is then sent to the authorization server to initiate the request for an access token. Unlike the standard client credentials flow, the JWT Client Assertion flow enables clients to authenticate themselves without the need to transmit their client secret over the network. Additionally, this flow allows clients to include additional information in the JWT assertion, such as a unique identifier for the request or the scopes being requested. This provides a more secure mechanism for client authentication.
Prerequisites
*Install CloudStreams Server v10.4 or a later version with the latest fix level.
*Install the supported v10.4 CloudStreams Provider, for example, v10.4 WmSalesforceProvider v44.
*Enable SaaS provider settings. For example, for Salesforce v44, you must have the Salesforce.com Connected App with Digital Certificate created by the keystore configured in IBM webMethods Integration Server Administrator and enabled the OAuth settings. For information on how to configure Integration Server keystores, see the Securing Communications with the Server section in the webMethods Integration Server Administrator's Guide.
Generating OAuth 2.0 access tokens using the Authorization Code Flow
1. On the Configure Connection page in IBM webMethods Integration Server Administrator, select OAuth 2.0 Authorization Code Flow from the Connection Type drop-down menu. The OAuth 2.0 Authorization Code Flow dialog box appears.
2. On the Connection Groups: OAuth v2.0 Authorization Code Flow section, click Generate Access Token.
3. On the Request Endpoints section, provide the URL for Authorization Endpoint and Token Endpoint.
4. Choose SSL Connection option if you want to use secure connection on the server using the Secure Socket Layer (SSL). Select Keystore Alias, Key Alias and Truststore Alias (if required) configured on .
5. Obtain the required Request Parameters from the SaaS provider application, for example, OAuth App Consumer ID (Client ID), Consumer Secret (Client Secret), and Scope. The fields in the Request Parameters section may vary as per the SaaS provider.
6. In the OAuth 2.0 Authorization Code Flow dialog box, type the required request parameters you obtained in the previous step. If the request must be sent through a proxy server, in the Proxy Server Alias field, specify the alias name of the enabled proxy server configuration on IBM webMethods Integration Server that will be used to route the request. Add the same Redirect URI in the Redirect URIs (Callback URL) field of the OAuth application settings section in your SaaS provider.
7. Click Authorize.
The authorization URI is built and the authorization page of the SaaS provider opens.
8. Log in to the SaaS provider and grant access to the required scopes, if any. If you have a developer account, you already have a default authorization server created for you. The authorization server is the server that issues the access token.
After successful authorization, the authorization server redirects the authorization code to CloudStreams.
9. CloudStreams exchanges the authorization code for an access token with the SaaS provider. The fields in the Connection Groups: OAuth V2.0 (Authorization Code Flow) section are populated after a successful response from the SaaS provider.
Generating OAuth 2.0 access tokens using the JSON Web Token (JWT) Flow
1. On the Configure Connection page in IBM webMethods Integration Server Administrator, select OAuth 2.0 JWT Flow from the Connection Type drop-down menu. The OAuth 2.0 JWT Flow dialog box appears.
2. For the Request Endpoints section, provide the URL where the token resides in the Token Enpoint field.
3. Choose SSL Connection option if you want to use secure connection on the server using the Secure Socket Layer (SSL). Select Keystore Alias, Key Alias and Truststore Alias (if required) configured on .
4. For the Claims section, obtain the Claims information from the SaaS provider application, for example, Issuer and Subject. The fields in the Claims section may vary as per the SaaS provider.
5. Type the following required claims you obtained in the previous step:
*Issuer - Client ID, or Identifier, or name of the server or system issuing the JWT token.
*Subject - Identifier or the name of the user this token represents.
6. In the Claims section, type the following details:
*Expiration Time (mins) - Time after which the JWT expires.
7. In the Keystore and Proxy section, type the following details:
*Keystore Name - The Integration Server keystore that CloudStreams should use. This field lists all available Integration Server keystores. If there are no configured Integration Server keystores, the list will be empty. For information on how to configure Integration Server keystores, see the Securing Communications with the Server section in the webMethods Integration Server Administrator's Guide.
*Signing Alias - This alias is the value that is used to sign the outgoing request from CloudStreams to the authentication server. It is auto-populated based on the keystore selected in the Keystore Name field. This field lists all the aliases available in the chosen keystore. You must provide a signing alias to sign the JWT payload.
*Proxy Server Alias - If the request must be sent through a proxy server, in the Proxy Server Alias field, specify the alias name of the enabled proxy server configuration on IBM webMethods Integration Server that will be used to route the request.
8. Click Get Token.
The generated JWT token will be sent to the authentication server and the fields in the Connection Groups: OAuth V2.0 (JWT Flow) section will be populated after a successful response from the SaaS provider.
Generating OAuth 2.0 access tokens using the JWT Client Assertion Flow
Note:
To generate access tokens using the JSON Web Token (JWT) Client Assertion Flow, the first step is to obtain the JWT token value. If you already possess the JWT token value, refer to the Generating JWT Assertion section.
Here is an example of setting up the Microsoft Graph connector using JWT Client Assertion authentication.
*Generating JWT tokens
1. On the Configure Connection page in IBM webMethods Integration Server Administrator, select OAuth v2.0 (JWT Client Assertion) connection from the Connection Type drop-down menu.
2. On the Connection Groups: OAuth v2.0 (JWT Client Assertion) section, click Generate Access Token.
The OAuth v2.0 JWT Client Assertion Flow dialog box appears.
3. In the Headers section of JWT Token, type the following detail:
*x5t: Base64-encoded SHA-1 thumbprint associated with the X.509 certificate. Select the X.509 certificate from a local directory by clicking the Browse button next to the x5t field. The system automatically populates the corresponding x5t value.
4. In the Claims section of JWT Token, obtain the Claims information from the SaaS provider application, for example, Issuer and Subject. The fields in the Claims section may vary as per the SaaS provider.
5. Type the following required claims you obtained in the previous step:
*Issuer: Client ID, or Identifier, or name of the server or system issuing the JWT token.
*Subject (Client ID): Identifier or the name of the user this token represents.
6. In the Claims section of JWT Token, type in the following details:
*Audience: The recipients or audiences for which the JWT is intended to be used.
*Expiration Time (mins): Time after which the JWT expires.
7. In the Keystore and Proxy section of JWT Token, type in the following details:
*Keystore Name: The keystore that CloudStreams uses. This field lists all availableIntegration Server keystores. If there are no configured Integration Server keystores, the list will be empty. For information on how to configure Integration Server keystores, see the Securing Communications with the Server section in the webMethods Integration Server Administrator's Guide.
*Signing Alias - This alias is the value that is used to sign the outgoing request from CloudStreams to the authentication server. It is auto-populated based on the keystore selected in the Keystore Name field. This field lists all the aliases available in the chosen keystore. You must provide a signing alias to sign the JWT payload.
8. Click Generate JWT Token.
The generated JWT token is populated in the Client Assertion field in the JWT Assertion section is populated after a successful response from the SaaS provider.
*Generating JWT Assertion
1. In the Request Endpoints section, provide the URL where the token resides in the Token Endpoint field.
2. Select the SSL Connection option if you want to use a secure connection on the server using the Secure Socket Layer (SSL). Select Keystore Alias, Key Alias and Truststore Alias (if required) configured on .
3. In the JWT Assertion Request Parameters section, type the following details:
*Client ID: The client identifier associated with the application.
*Scope: The resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. The default value for this field is https://graph.microsoft.com/.default.
*Client Assertion (JWT Token): The obtained JWT Token value.
*Proxy Server Alias: The alias name of the enabled proxy server configuration on that is used to route the request.
4. Click Submit Request.
The generated client assertion token is sent to the authentication server and the fields in the Connection Groups: OAuth v2.0 (JWT Client Assertion) section are populated after a successful response from the SaaS provider.