Managing Clients
Creating an OAuth2 Client
You can create OAuth2 clients with specific permissions for your application to work with Predix Platform services. Often this is the first step after creating an instance of a service.
About This Task
When you create an instance of UAA, the UAA Dashboard is available for configuring that instance of UAA. You can use the Client Management tab in the UAA Dashboard to create the OAuth2 clients.
If you are prefer using the UAA command-line interface (UAAC) instead of UAA Dashboard to create an OAuth2 client, see uaas-managing-clients.html#task_sp2_zvk_rdb
Procedure
What To Do Next
uaas-managing-clients.html#task_k3h_k2c_1x for your service specific information.
Using UAAC to Create an OAuth2 Client
You can use the UAA command-line interface (UAAC) instead of UAA Dashboard to create an OAuth2 client.
About This Task
You can use the UAAC, to manage your UAA instance. For more information on installing the command-line interface, see https://github.com/cloudfoundry/cf-uaac.
Procedure
What To Do Next
uaas-managing-clients.html#task_k3h_k2c_1x for your service specific information.
Updating the OAuth2 Client for Services
To use an OAuth2 client for secure access to your Predix Platform service instance from your application, you must update your OAuth2 client to add additional authorities or scopes that are specific to each service.
About This Task
To enable your application to access a platform service, your JSON Web Token (JWT) must contain the scopes required for a platform service. For example, some of the scope required for Access Control service are acs.policies.read acs.policies.write
.
The OAuth2 client uses an authorization grant to request an access token. Based on the type of authorization grant that you have used, you must update your OAuth2 client to generate the required JWT. For more information on how the OAuth2 client is created, see Creating OAuth2 client.
If you use the UAA Dashboard to create additional clients, the client is created for the default client_credentials
grant type. Some required authorities and scopes are automatically added to the client. You must add additional authorities or scopes that are specific to each service.
In addition, the admin client is not assigned the default authority to change the user password. To change the user password, you must add the uaa.admin
authority to your admin client.
Use the following procedure to update the OAuth2 client.
Procedure
What To Do Next
You can complete the following additional tasks in UAA Dashboard:
- If you are using authorization grant type as Authorization Code, Implicit, or Resource Owner Password, you can manage users in UAA.
- You can create password policies for user passwords.
- You can set up external identity provider or use UAA as an identity provider. See Managing Identity Providers.
If you have completed your OAuth2 client setup, you can bind your application to your service instance.
Authorities or Scopes Required for Platform Services
When you create a new OAuth2 client, the client is assigned default scopes and authorities. You must add additional authorities or scopes that are specific to each service.
The following table lists the scopes and authorities specific to each platform service that you must add to your OAuth2 client.
Service Name | Authorities/Scopes |
---|---|
Access Control |
|
Analytics Catalog | analytics.zones.<service_instance_guid>.user (added by default) |
Analytics Runtime | analytics.zones.<service_instance_guid>.user (added by default) |
Asset | predix-asset.zones.<service_instance_guid>.user (added by default) |
Blockchain as a Service | predix-blockchainapi.zones.<service_instance_guid>.user (added by default) |
Event Hub |
|
Tenant Management |
|
Time Series |
|
View |
|