OAuth is available as an authentication mode when using many of the SmartObject Service Brokers that ship with K2.
In order to connect to OAuth enabled services with a SmartObject service broker you need to configure an OAuth Resource Type and an OAuth Resource. The setup consists of the following steps:
You may use the K2 Management link in the K2 App (Authentication > OAuth > Resource Types) or the K2 Designer (All Items > System > Management > Security > Forms) to configure the K2 OAuth settings.
Although OAuth2 is an industry standard authorization framework, each OAuth2 implementation can vary slightly in regard to the parameters used during the token flows. For this reason, OAuth resource configurations between services will vary. The first step of this process is to discover what parameters and parameter values are used by the external OAuth resource for authorization, token requests and refresh requests.
For example, the Azure Active Directory OAuth2 implementation uses an encrypted ‘cliend_id’ parameter for Authorization requests, Token requests, and Refresh requests. It also uses the following parameters: grant_type, api_version, scope, client_secret, resource, entity_id, response_type, and redirect_uri. All of these properties make up the external OAuth resource configuration.
As another example, SalesForce's OAuth2 implementation uses the following parameters: client_secret, redirect_uri, client_id, response_type and grant_type. All of these properties make up the external OAuth resource configuration, and to obtain these parameters and the values required for the parameters, you will need to set up Authorization in your SalesForce environment.
Most services describe at least two stages for successful authorization:
Many services also expire tokens after a set amount of time and accept a refresh request to obtain a new token.
For most OAuth enabled services, like LinkedIn or Twitter, you first need to create an application on their platform, which is the integration entry point. As a part of creating the application you receive an application ID and a client secret along with the endpoint URI to communicate with. Once you have the required communication parameters and the application configuration values, you are ready to create the K2 OAuth Resource Type and OAuth Resource.
(See the attachments on the right hand side of this article for additional documents that describe sample OAuth settings for certain services)
If your K2 installation does not already contain a Resource Type for the service you want to connect to, you will need to create a new Resource Type (think of the Resource Type as a container for the parameters required to connect to a particular service). To get to the K2 OAuth Resource Type configuration page:
Now add a new Resource Type using the information and parameters identified from the external OAuth resource.
(Extensions are used to handle any scenarios that are not covered by the OAuth2 specification. SharePoint, for example, uses a Server to Server token in on-premises installations that is not part of the OAuth2 specification and therefore an Extension is used for additional processing in this scenario.)
Once you have added the Resource Type, you can add the parameters you identified in Step 1 to the Resource Type. These definitions are used to create the communication strings that are sent to and received from the external OAuth URI. You will add the parameters and their usage configurations in the Resource Type Parameters table. Do not provide client_id or secret values at this stage. The Resource Type defines the default settings and values used by all OAuth resources of this Type. Your client- or application-specific values should be entered in when you create the new OAuth Resource in Step 3.
Repeat these steps until all the external OAuth service's parameters have been defined. Once the parameters have been added, continue to Step 3.
Once all of the required OAuth communication string parameters have been added to the OAuth Resource Type definition, a corresponding OAuth Resource needs to be added and configured.
In the OAuth Resources table, configure the Resource Parameters that are required for the selected OAuth Resource Type and configure static values for the parameters, if needed.
Repeat until all required values have been configured.
Once the K2 OAuth Resource definition and parameter value configurations have been completed, the final step is to link the K2 OAuth Resource with the external OAuth service by using a SmartObject Service Instance to define the communication between the K2 Broker and the external OAuth system.
In the K2 Management options list, open the SmartObject Administration node.
Once the protocol’s connection request and response strings have been defined within the K2 OAuth system and a SmartObject Service Instance has been configured that links to the OAuth resources, you can create SmartObjects for the Service Objects in the Service Instance. SmartObject requests to that service will then initiate OAuth token flows to authenticate and interact with the target service.
Thank you for your submission. We will be in contact shortly to assist you.