Management API

This section describes the Management API of the Authorization Server. Once you have setup the Authorization Server service instance, you will need to provision scopes and register clients before access tokens can be requested. The Authorization Server will provide access tokens for registered (known) clients only.

The Management API's purpose is to help with the process of provisioning scopes and client registration via a set of HTTP based APIs and managing them.

Provisioning Scopes

A scope is what is known as an arbitrary string based on the user's context. Examples such as normal_scope, admin_scope determines the user's access level and the scopes that are associated with that level. Scope values cannot have space characters and it is recommended that any space be substituted with the underscore character.

Scopes can be added and removed using the /scope endpoint URI after the Management API base URI while setting up the Authorization Server.

Example - Scope endpoint URI

http(s)://hostname:port/authserver/api/scope

The following table lists all HTTP APIs available for provisioning scopes and the expected success return value.

URI

HTTP Method

Input Parameters

Input Format and Example

Return Value

Return Format and Example

URI

HTTP Method

Input Parameters

Input Format and Example

Return Value

Return Format and Example

/scope

GET

None

Format:
N/A
Example:
N/A

Space delimited list of all scopes provisioned

Format:
JSON

Example:
{"scope":"normal_scope admin_scope"} 

/scope

POST

Space delimited list of scopes to be provisioned

Format:
JSON

Example:
{"scope":"normal_scope admin_scope"}

Space delimited list of scopes provisioned succesfully

Format:
JSON

Example:
{"scope":"normal_scope admin_scope"}

/scope

PATCH

Space delimited list of scopes to be removed

Format:
JSON

Example:
{"scope":"admin_scope"} 

Space delimited list of scopes removed successfully

Format:
JSON

Example:
{"scope":"admin_scope"}

Client Registration

A client is an application that requires the REST API to be hosted on the HTTP/2 Server agent.

When the OAuth2 authorization is enabled in the HTTP/2 Server agent, the client must obtain an access token such as generated by Authorization Server and then provide the access token via the Authorization HTTP header for REST API requests. The client must be registered first before obtaining the access token from the Authorization Server.  Any unregistered client will not be accepted.

Clients can be registered and removed using the /clients endpoint URI after the Management API base URI.

Example - Client endpoint URI

http(s)://hostname:port/authserver/api/clients

Note!

The client name MUST be unique.

The following table lists all HTTP APIs available for provisioning scopes and the expected success return value:

URI

HTTP Method

Input Parameters

Input Format and Example

Return Value

Return Format and Example

URI

HTTP Method

Input Parameters

Input Format and Example

Return Value

Return Format and Example

/clients

GET

None

Format:
N/A

Example:
N/A

List of all clients registered

Format:
JSON

Example:
[{"client_name":"Some App","client_id":"YCuIPYVa0GryebpzniAZU5VGqye_dxBGdcXI","client_secret":"Ofy1-QfO3yrFYdk3dj1pmM30GKVre9Q6bMk6V7YIRmqGHwaijQ","scope":"normal_scope admin_scope"}]

/clients/<client_name>

GET

None

Format:
N/A

Example:
N/A

Client details for the <client_name> specified

Format:
JSON

Example:
{"client_name":"Some App","client_id":"YCuIPYVa0GryebpzniAZU5VGqye_dxBGdcXI","client_secret":"Ofy1-QfO3yrFYdk3dj1pmM30GKVre9Q6bMk6V7YIRmqGHwaijQ","scope":"normal_scope admin_scope"}

/clients

POST

client_name and scope of the client to be registered

Format:
JSON

Example:
{"client_name":"Some App","scope":"normal_scope admin_scope"}

Clients details for the <client_name> registered

Format:
JSON

Example:
{"client_name":"Some App","client_id":"YCuIPYVa0GryebpzniAZU5VGqye_dxBGdcXI","client_secret":"Ofy1-QfO3yrFYdk3dj1pmM30GKVre9Q6bMk6V7YIRmqGHwaijQ","scope":"normal_scope admin_scope"}

/clients/<client_name>

DELETE

N/A

Format:
N/A

Example:
N/A

Status for the removal of the client with <client_name>

Format:
JSON

Example:
{"status":"success"}

/clients/<client_name>

PUT

scope of client to be registered or modified if client exists

Format:
JSON

Example:
{"scope":"normal_scope admin_scope"}

Client details for the <client_name> that is registered or modified

Format:
JSON

Example:
{"client_name":"Some App","client_id":"YCuIPYVa0GryebpzniAZU5VGqye_dxBGdcXI","client_secret":"Ofy1-QfO3yrFYdk3dj1pmM30GKVre9Q6bMk6V7YIRmqGHwaijQ","scope":"normal_scope admin_scope"}

/clients/<client_name>

PATCH

N/A

Format:
N/A

Example:
N/A

Client details for the <client_name> that is specified and with new client_id and client_secret generated

Format:
JSON

Example:
{"client_name":"Some App","client_id":"YCuIPYVa0GryebpzniAZU5VGqye_dxBGdcXI","client_secret":"Ofy1-QfO3yrFYdk3dj1pmM30GKVre9Q6bMk6V7YIRmqGHwaijQ","scope":"normal_scope admin_scope"}

HTTP Status Code

The Management API in the Authorization Server will return certain codes to the client to indicate a successful or unsuccessful request. The following table will show the HTTP Status Code for successful HTTP API calls as well as all unsuccessful HTTP API calls.

HTTP Status Code

Return Value

Return Format

Return Example

HTTP Status Code

Return Value

Return Format

Return Example

200 (Successful)

This indicates that the HTTP API call is successful. The response will often include a body that is dependent on which method was used in the request.

JSON

Highly dependent on the HTTP method type.

400 (Bad Request)

Status of the HTTP API call and description of the status. Error is due to incorrect usage of the HTTP API by the user.

JSON

{"status":"error","description":"invalid form data"}

401 (Unauthorized)

Incorrect username and/or password provided for the HTTP API call when HTTP Basic Authentication is enabled for the Management API. The response HTTP header parameter "WWW-Authenticate" will be set to "Basic" in this case.

N/A

N/A

500 (Internal Server Error)

Status of the HTTP API call and description of the status. Error is due to the Authorization Server unable to handle the request internally.

JSON

{"status":"error","description":"database error"}

Access Token Endpoint

The access token endpoint is used by the client to request for access tokens. All clients have to be registered by using the Management API before the access token can be requested as all unregistered clients will not have their token request accepted. See the Client Registration section above for more information.

Every registered client will have a client_id and client_secret assigned by the Authorization Server and the access token can only be requested using this set of client credentials.

The access token can be requested using the Access Token URI that was configured using the access-token-uri parameter.

 

The client can request for the access token at the access token endpoint by following the steps below:

  • Setting the "client_id" and "client_secret" as username and password respectively in the HTTP Basic Authentication header.

  • Setting the "grant_type" parameter using the "application/x-www-form-urlencoded" format in the HTTP request entity-body. The value MUST be set to "client_credentials".

  • In the case that the client doesn't support HTTP Basic Authentication, the "client_id" and "client_secret" can be set using the the "application/x-www-form-urlencoded" format in the HTTP request entity-body as well using the "client_id" and "client_secret" parameter names respectively.

 

 

The access token response will contain the following parameters to the entity-body of the HTTP response with a 200 (OK) status code:

entity-body

Description

entity-body

Description

access_token

The access token issued by the Authorization Server

token_type

The value will always be Bearer

expires_in

The lifetime (in seconds) of the access token

 

In the event of an error when requesting an access token, The Authorization Server will respond with an HTTP 400 (Bad Request) status code unless specified otherwise. The response will include the following parameters:

entity-body

Description

entity-body

Description

error

A single ASCII [USASCII] error code from the following:

  • invalid_client

  • unsupported_grant_type

error_description

Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.



Â