Add OAuth Scopes to REST API Endpoints
OAuth scopes limit access granted by the Authorization server to an application/user. An application/user can request one or more scopes when requesting an access token. Upon successful authentication, the access token issued will be limited to the web services associated with the scopes.
OAuth Scopes in EmpowerID
There are three components involved with OAuth scopes in EmpowerID. These are as follows:
Web Service — REST APIs created in Workflow Studio and published as protected app resources
Application — Protected Application Resource of SSO Type OAuth
OAuth client application — OAuth application which issues ClientID, Client Secret, API Key
In EmpowerID, scopes are assigned on a Protected Application Resource level. A protected application must be bound to an OAuth client application. Custom OAuth scopes are defined, and appropriate web services are assigned to the scope. When an application or user requests for an access token with defined scopes, the issued access token will be granted access to all the web services assigned to the requested scopes.
This topic demonstrates how to configure an OAuth scope for an application created in EmpowerID. To follow along, you will do the following:
Create a number of custom API REST endpoints/web services in Workflow Studio
Create an OAuth client application in EmpowerID
Create a Protected Application Resource in EmpowerID and bind the newly created OAuth client application to it
Add scope items for the custom API REST endpoints/web services to the Protected Application Resource
Assign the scope items to the web services
Grant access to the web services
Step 1 – Create custom REST API endpoints in Workflow Studio
Create custom API REST endpoints/web services for EmpowerID in Workflow Studio, such as those listed in the below table. Please note that these endpoints are examples. Replace these with your endpoints.
For reference on creating REST API endpoints in Workflow Studio, see Create Custom Rest API Endpoints.
EIDBot.ValidateOTP | EIDBot.Register |
EIDBot.Exists | EIDBot.GetRegisterInfo |
EIDBot.StartComputer | EIDBot.GetPersonFromCommunicationType |
EIDBot.StopComputer | EIDBot.GetMagicLoginForServiceProvider |
EIDBot.ComputerExists | EIDBot.RetrieveSecretL |
EIDBot.ChangePassword | EIDBot.RetrieveSecretC |
EIDBot.PushMessage | EIDBot.CheckOrgRoleID |
EIDBot.AdminUnlockUserURL | EIDBot.SearchServiceProviders |
EIDBot.CheckPrimaryOrgRoleOrgZoneID | EIDBot.ExternalCreds |
EIDBot.ShareSecret | EIDBot.CheckInCredsList |
EIDBot.CheckOutCred | EIDBot.GetSAPRoles |
EIDBot.TokenValid | EIDBot.AssignPersonToGroup |
Step 2 – Create an OAuth Client application
On the navbar of the EmpowerID Web interface, expand Single Sign-On > SSO Connections and select OAuth /OpenID Connect.
From the EmpowerID OAuth Client Apps tab of the OAuth page, click the Add button.
Under the General tab of the OAuth Provider Application Details page fill in the following:
Name – Name of the application
Display Name – Display name for the application
Description – Description for the application
Application Type – Select the appropriate application type from the drop-down.
Application Owner – Person creating the app by default; or, search for another person
Issuer – Defaults to EmpowerID; you can update the value to any string / URL you want.
Signing Certificate – Select a certificate with a private key from the EmpowerID certificate store
Click Save to create the application.
Step 3 – Add Client Secrets and Callback URLs to the app
After EmpowerID creates the application, expand the Client Secrets accordion and click the blue Add button in the grid header.
Copy the string in the Client Secret field.
After you have copied and saved the Client Secret, enter the following information:
Name – Name of the secret
Expires – Select I Year, 2 Years or Never.
Click Save to create the secret.
Expand the Callback URLs accordion.
Click the blue Add button in the Callback URLs accordion and then enter https://<yourserver>/WebIdPForms/OAuth/V2, replacing
<yourserver>
with the FQDN of your EmpowerID Web server. Add any other Callback URLs supported by your application. Callback URLs are case-sensitive.Click Save to close the dialog.
Copy and save the Client ID and API Key values.
Step 4 – Create a SSO app for the client app
On the navbar, under Single Sign-On, select Applications.
From the Actions pane, click Create Application.
Under the General tab of the Application Details page fill in the following:
Name – Name of the application
Display Name – Display name for the application
Description – Description for the application
Create a Tracking Only Account Store – Select this option to create an account store for the application.
Creation Location – Click the Select a Location link and then select and save the desired creation location for the application.
Click Single Sign-On tab of the Application Details page, do the following:
Single Sign-On Connection Type – Select OAuth / OpenID Connect.
OAuth Client Application – Search for and select the OAuth Client application you created above.
Click Add to Cart.
Click the Cart icon at the top of the page to open the cart.
Enter a reason for creating the application and then click Submit.
Step 5 – Add OAuth Scopes
Click the Find Applications breadcrumb on the Application Details page to return to the Find Applications page.
Search for the application you just created and click the Display Name link for it.
On the Application Details page that appears, select the SSO tab and expand the Scopes (OAuth) accordion.
Click the Add button on the grid header.
Add the following scopes (replace with your own):
eidbot.computer
eidbot.creds
eidbot.otp
eidbot.registration
eidbot.secrets
Expand the Scope to API Mappings accordion and click the Add button in the grid header.
In the API Info dialog that opens, do the following:
Scope – Search for and select the desired scope.
Protected API Endpoint – Search for and select the appropriate endpoint.
Click Save.
Repeat step 7 and assign scopes to the rest of the web services you registered in Workflow Studio.
Step 6 – Grant access to the web services
As with all resources protected by EmpowerID, API endpoints or web services are secured by the RBAC engine. This means that users with access to an endpoint cannot call or consume it. As this is the case, to test calling the endpoint and to make it available to your users, you need to create RBAC delegations for users who will be consuming your custom API endpoints.
On the navbar, expand Role Management and select Manage Delegations.
Select the Resource Delegations tab.
Do the following in the delegations form to grant access to your endpoints:
Resource Type – Select Web Service
Enter a Web Service to Search – Search for and select an endpoint
To Which Type of Actor Do You Wish to Assign Access – Select the appropriate actor type (Person, Business Role and Location, Group, Management Role, Management Role Definition, Query-Based Collection)
Click the Add button in the grid header and then search for and select the appropriate actor. For example, if you selected Business Role and Location as the actor type, you search for the specific Business Role and Location.
Access Level – Select Executor
Click Save.
Repeat Step 3 for each of your endpoints.
IN THIS ARTICLE