Title: OAuth 2.0 in the HTTP Connector
Introduction:
All grant types for OAuth 2.0 will require the client ID and client secret since it is used to construct the POST request as an x-www-form-urlencoded?body. Scope and additional authorization/access token parameters are specified by the endpoint. We assume you have set up the callback URL or redirect URI in the endpoint correctly. Some important things to know first if you are using the native OAuth 2.0 implementation in the HTTP connection,
The platform makes the authorization token and access token requests for grant type authorization code and resource owner credentials, not the selected runtime since the platform will now handle the refreshing and storage of the token. For the grant type client credential and JWT bearer, the runtime makes the calls. You will be able to use a proxy on the local runtime to view that request if you want to
A proxy cannot be used to view the OAuth 2.0 requests through the atom since the platform handles it for the grant types mentioned above
The access token (or any part of the token response) cannot be retrieved from within the process, the HTTP connector automatically sets those
Response to the Access Token request:
Access Token Response:
The response with an access token should contain the following properties:
? access_token (required) The access token string as issued by the authorization server.
? token_type (required) The type of token this is, typically just the string "Bearer”.
? expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.
? refresh_token (optional) If the access token will expire, then it is useful to return a refresh token which applications can use to obtain another access token. However, tokens issued with the implicit grant cannot be issued a refresh token.
? scope (optional) If the scope the user granted is identical to the scope the app requested, this parameter is optional. If the granted scope is different from the requested scope, such as if the user modified the scope, then this parameter is required.
Grant Types:
1. Authorization Code
2. Resource Owner Credentials
3. Client Credentials
Authorization Code :
All of the above is done automatically behind the scenes after you enter your credentials the first time you hit generate. The HTTP connector will try its best to refresh the token by making subsequent refresh token requests to the?Access Token URL?and storing the new access token automatically.?
领英推荐
Resource Owner Credentials:
The HTTP connector will try its best to refresh the token by making subsequent refresh token requests to the?Access Token URL?and store the new access token automatically. If there is no refresh token, you have to get a new access token. If there is a method to keep the access alive longer through continued use, that is entirely up to the endpoint to let you know how long an access token is kept alive and how it can be kept further alive.??
Client Credentials:
There is no refresh token so you can't refresh the current access token. A new access token should be acquired each time or until it expires.?
Authorization request:
A standard OAuth 2.0 token request would send a POST request with an x-www-form-urlencoded?body like this,
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&client_id=balhablah
... so anything not similar to that wouldn't work in Boomi e.g.,
Access token response:
The HTTP connector expects an access token response to follow the standards so it should look something like this,
{
"token_type": "Bearer",
"access_token": "T7GR1ecMM513sqFdNGa10RzMWBM6",
"expires_in": "1799",
? "other_elements": "test"
}
If there are extra elements that's acceptable. Things that will not work,
If the endpoint has something like the above, the HTTP connector will not be able to make OAuth 2.0 requests to the resource. You will need to make more manual calls and construct the OAuth 2.0 requests according to the endpoint's documentation. Again, most of the things mentioned here are from an endpoint not following the standard OAuth 2.0 specifications like having different access token and refresh token endpoints. The additional Authorization header (and the refresh token life) for basic auth is currently not supported, but is an option according to specifications. For various strategies to use an endpoint's OAuth 2.0 and ways to store the access and refresh the token yourself, please view making Manual OAuth 2.0 Calls.