Managing Clients

You can create OAuth2 clients with specific permissions for your application to work with Predix Platform services. Often this is the first step after creating an instance of a service.

1. In the Predix.io Console view, select the Space where your services are located.
2. In the Services Instances page, select the UAA instance to configure.
3. Select the Configure Service Instance option.
4. In the UAA Dashboard login page, specify your admin client secret and click Login.
5. In UAA Dashboard, select the Client Management tab.
   The Client Management tab has two views, Clients and Services . The Services view displays the service instances that you have created for your services.

   Note: The service instances displayed in the Services view were created while using the UAA that you are trying to configure. Service instances that you created using other UAA instances are not displayed on this page.
6. Click Create Client to open the Create Client form.
7. Complete the Create Client form.

   Field	Description
   Client ID	Specify a name for the OAuth2 client you are creating.
   Authorized Grant Types	Choose one or more of the following grant types: authorization_code When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code. client_credentials When you use the client credentials grant type, the OAuth2 endpoint in UAA accepts the client ID and client secret and provides Access Tokens. password When you use the resource owner password credentials grant type, the OAuth2 endpoint in UAA accepts the username and password and provides Access Tokens. refresh_token The refresh tokens are credentials used to obtain access tokens. You can choose this option to obtain refresh token from UAA. You can then use the refresh token to obtain a new access token from UAA when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope. implicit When you use the implicit grant type, UAA directly issues an Access Token to the client without authenticating the client. This reduces the number of round trips required to obtain an access token. For more information on grant types, see RFC 6749.
   Client Secret	Specify the password. It is important that you keep a note of this password. If lost, this password cannot be retrieved.
   Confirm Client Secret	Reenter the client secret.
   Redirect URI	Specify a redirect URI to redirect the client after login or logout (for example, http://example-app.com/callback). Use this URI when you start using UAA as the service provider for your external Identity provider. UAA uses the value of Redirect URI for /oauth/authorize and /logout endpoints. You must specify a Redirect URI value if you use the Authorization Code or Implicit authorization grant type. When you use the Authorization Code grant type, the Redirect URI is your application's endpoint or callback that expects user authorization code. When you use the Implicit grant type, the Redirect URI is the end point where UAA sends the bearer token. Unique Resource Identifier consists of: Access Protocol, http or https Domain or IP address Access Port such as 80 or 443 Path If you have a specific URL for your application callback, you can use that to set the Redirect URI value for the related client. For example, https://your-app-domain.run.aws-usw02-pr.ice.predix.io/path1/path2/callback. You can specify multiple values for Redirect URI as a list of allowed destinations that UAA server can redirect the users. For example, https://yourappdomain1.run.aws-usw02-pr.ice.predix.io/path1/path2/callback, https://yourappdomain2.run.aws-usw02-pr.ice.predix.io/path1/path2/callback. If the subdomain of your application is dynamic, you can set the value of Redirect URI using wilcards. For example, https://*.your-app-domain.run.aws-usw02-pr.ice.predix.io/path1/path2/callback. Note: You must only use ‘*’ for a domain that is exclusive to your application (Such as your-app-domain in example above). This prevents the redirect to be routed to an application that you do not own. You cannot use * in the top domain and sub domain (such as predix.io in the example above).
   Scopes	Scopes are permissions associated with an OAuth Client to determine user access to a resource through an application. The user permissions are for authorization grant types authorization_code, password and implicit. By default, the admin client is assigned all required scopes. For a new client, an administrator can select the scopes to be added based on client requirements. For a list of available scopes, see Scopes Authorized by the UAA. To use an OAuth2 client for your Predix Platform service instance, you must update your OAuth2 client to add scopes that are specific to each service after adding the client to the service instance.
   Authorities	Authorities are permissions associated with the OAuth Client when an application or API is acting on its own behalf to access a resource with its own credentials, without user involvement. The permissions are for the client_credentials authorization grant type. By default, the admin client is assigned all required authorities. For a new client, an administrator can select the authorities to be added based on client requirements. The list of authorities matches the list of scopes. For a list of available UAA scopes, see Scopes Authorized by the UAA. To use an OAuth2 client for your Predix Platform service instance, you must update your OAuth2 client to add authorities that are specific to each service after adding the client to the service instance. Note: An admin client is not assigned the default authority to change the user password. To change the user password, you must add the uaa.admin authority to your admin client.
   Auto Approved Scopes	Specify scopes that can be approved automatically for the client without explicit approval from a resource owner.
   Allowed Providers	Specifies the names of the external identity providers, if any. This field is required if you are using external identity providers with UAA as a service provider.
   Access Token Validity	Specifies the access-token expiration time in ms.
   Refresh Token Validity	Specifies the refresh-token expiration time in ms.

You can use the UAA command-line interface (UAAC) instead of UAA Dashboard to create an OAuth2 client.

1. Specify your UAA instance as the intended target.

   uaac target <uaa_instance_url> 

   <uaa_instance_url> is the URL to your trusted issuer, for example, https://11fa0273-9e2a-37e2-9d06-2c95a1f4f5ea.predix-uaa.run.aws-usw02-pr.ice.predix.io. You can retrieve this URL from the VCAP_SERVICES environment variable after binding your UAA instance to an application.

2. Log in using the administrative client.

   uaac token client get admin

3. Specify the administrative client secret at the prompt.
4. Use the following command to create the OAuth2 client:

   uaac client add [client_name] 
       --authorities "uaa.resource" 
       --scope "openid" 
       --autoapprove "openid" 
       --authorized_grant_types [authorization_code|implicit|password|client_credentials|refresh_token] 
       --redirect_uri [redirect_uri_1, redirect_uri_2, ...]

   For more information on UAA options such as scopes and authorized_grant_types, see the UAA documentation at https://github.com/GESoftware-CF/uaa/blob/master/docs/UAA-APIs.rst.

To use an OAuth2 client for secure access to your Predix Platform service instance from your application, you must update your OAuth2 client to add additional authorities or scopes that are specific to each service.

1. In the Console view, select the Space where your services are located.
2. In the Services Instances page, select the UAA instance to configure.
3. Select the Configure Service Instance option.
4. In the UAA Dashboard login page, specify your admin client secret and click Login.
5. In UAA Dashboard, select the Client Management tab.
   The Client Management tab has two views, Clients and Services. The Services view displays the service instances that you have created for your services.

   Note: The service instances displayed in the Services view are the instances that you created using the UAA that you are trying to configure. The service instances that you created using some other UAA instance are not displayed on this page.
6. Select the Switch to Services View option.
7. In the Services view, select the service that you need to update.
8. Choose an existing client or choose the Create a new client option. If you chose to create a new client, follow the steps in uaas-managing-clients.html#task_79a81b74-552e-4f74-abfc-bd37e6adac87.
9. Click Submit.
10. Click on the Switch to Clients View option.
11. In the Clients view, click the edit icon corresponding to the client added in the previous step.
12. Complete the Edit Client form.

    Field	Description
    Authorized Grant Types	Choose one or more of the following grant types: authorization_code When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code. client_credentials When you use the client credentials grant type, the OAuth2 endpoint in UAA accepts the client ID and client secret and provides Access Tokens. password When you use the resource owner password credentials grant type, the OAuth2 endpoint in UAA accepts the username and password and provides Access Tokens. refresh_token The refresh tokens are credentials used to obtain access tokens. You can choose this option to obtain refresh token from UAA. You can then use the refresh token to obtain a new access token from UAA when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope. implicit When you use the implicit grant type, UAA directly issues an Access Token to the client without authenticating the client. This reduces the number of round trips required to obtain an access token. For more information on grant types, see RFC 6749.
    Redirect URI	Specify a redirect URI to redirect the client after login (for example, http://example-app.com/welcome). This URI is used when you start using UAA as service provider for your external Identify provider.
    Scopes	By default, the client is assigned a few required scopes. For a new client, an administrator can select the scopes to be added based on the selected grant type. If you select the authorization_code, password and implicit grant type, you must update the scopes with service specific scopes. For a complete list of required scopes, see uaas-managing-clients.html#reference_ec1_t3d_bx. For a list of available UAA scopes, see Scopes Authorized by the UAA.
    Authorities	By default, the client is assigned a few required authorities. For a new client, an administrator can select the authorities to be added based on the selected grant type. If you select the client_credentials grant type, you must update the authorities with service specific authorities. For a complete list of scopes to be added for each service, see uaas-managing-clients.html#reference_ec1_t3d_bx. For a list of available UAA authorities, see Scopes Authorized by the UAA.
    Auto Approved Scopes	Specify scopes that can be approved automatically for the client without explicit approval from the resource owner.
    Allowed Providers	Specify the names of the external identity providers, if any. This field is required if you are using external identity providers with UAA as a service provider.
    Access Token Validity	Specifies the access token expiration time in ms.
    Refresh Token Validity	Specifies the refresh token expiration time in ms.

1. Specify your UAA instance as the intended target.

   uaac target <uaa_instance_url> 

   <uaa_instance_url> is the URL to your trusted issuer, for example, https://11fa0273-9e2a-37e2-9d06-2c95a1f4f5ea.predix-uaa.run.aws-usw02-pr.ice.predix.io. You can retrieve this URL from the VCAP_SERVICES environment variable after binding your UAA instance to an application.

2. Log in using the administrative client.

   uaac token client get admin

3. Specify the administrative client secret at the prompt.
4. Use the following command to change the client secret.

   uaac secret change

5. Enter the current administrative client secret at the prompt.
6. Enter the new administrative client secret at the prompt.
7. Reenter the new administrative client secret at the prompt.
   Note:

   Do not specify the administrative client secret using the -s option. Your terminal history retains a copy of those credentials.