OAuth Authentication

To enable RPI Realtime OAuth authentication, the following must be carried out:

Database

A Realtime authentication database must be made available, and tables created therein through running the following SQL script:

DeploymentFiles\SQL Server\Useful Scripts\Realtime\Realtime.sql

Configuration

The EnableOAuth setting must be set to 'true' at the RPI Realtime API web.config file:

<setting name="EnableOAuth" serializeAs="String">

    <value>True</value>

</setting>

<setting name="OAuthTokenTimespan" serializeAs="String">

    <value>1209600</value>

</setting>

<setting name="RootServiceURL" serializeAs="String">

    <value />

</setting>

<connectionStrings>

    <add name="DefaultConnection" connectionString="Server=localhost;Database=RPIRealtime;Integrated Security=true;ConnectRetryCount=12;ConnectRetryInterval=10" providerName="System.Data.SqlClient" />

</connectionStrings>

•      OAuthTokenTimespan: token's lifetime, in seconds.

•      RootServiceURL: Realtime API home page address; used when authenticating using OAuth at Swagger.

When using OAuth authentication, the RPI Realtime website's application pool user requires access to the Realtime authentication database.

Note that, once OAuth authentication is enabled, it takes precedence over the usage of static token authentication.

Token Endpoint

To use RPI Realtime with OAuth, the RPI Realtime Token endpoint ([Realtime server]/token) must be called, and a username and password passed to the same.  The endpoint is used to obtain a bearer token, which is a time-limited token that defines the user making subsequent calls to Realtime API endpoints.  The roles associated with the bearer token are defined at point of its generation.  Note that, if roles change, you will need to generate new a token to pick up the changes.

The following should be passed in the call to the token endpoint:

•      Headers:

o  Content-Type: application/x-www-form-urlencoded

•      Body:

o  x-www-form-urlencoded

o  Keys:

§ grant_type: password

§ username

§ password

The following represents an example of a bearer token returned by the endpoint:

{

    "resource": "resource-server",

    "token_type": "Bearer",

    "access_token": "CfDJ8IbSSMi3VZdJnFSayQaR4O5WqBuu-oif0HYOBsO6ChiE3wEI9ojNuSFed9xNPEmvRsS6yLKp-s7WBeSmXM415McSFc3fYSDYa8ZL0lsNnVksgZzb2AZSR3hEhhfmE4HEIJpM_r29pvuCwZPsMiLIzj8NSwuUNNhk-Bk5A4p6hAVE7Q1oQr0xBGQcGAwoA-ipBiRGQOnWxGUd9cbM7rC7a2SYQD0bRYUd6JTIbWLDrmLmXPYyebjSxVyYw18TbIiVQh3OAvF6g0mPcMWTCTHwjw9PzukiiRjhVgSyq7FPjq_KBvDb012quHeqQJ9TaDGHqLxZ8I0UoOoOry38gD5jeF1PxljZ6LuVO6ot8wevtpK8KZwY15aTbfgPGEtMrIihIFNgVWzlDwwS7f0t7erEVxkn9ODmn32v6W401vqthn3R4m6ZMWSAyR8EhbwYdSurE4M65EH1ENPbU6nyjMYgSpngaHUaid7M84bhtGZJe5sVPm1Zzkh2xvbAsPQ99QbifPP0Xhq3ilrm5PEHD5ox8J7Xo5j8iAyNpiChg24Nh-2VQmsyL5RN_ZAYbmf2w0MOc9pse2YEcbIlr4L088op3roYA8qmAnnCc91MIkhSRcvtIYKLL-IJ0yB02daxO_zkxVSQukv8jd9TdVz48uN3Z0fTTLXYEPBsGtUsbY_QnD8ZLc1aMSBu8jcDQWcwh11hQq6YRrHZ8M5BeMx8bi-St61n5do5WA7x-EzW0HYTAXG7BGLrtT2mlTJrcctDza3Pm41p12FQFQmgIqDBbamiyvc",

    "expires_in": 1209600

}

Users

Two users are provided out-of-the-box for use when using RPI Realtime with OAuth

•      coreuser: associated with all roles.

•      standarduser: associated with the Standard, Forms, ListenerQueue and Recommendations roles.

Default passwords for the above are available on request.

The following roles are supported:

•      Administrator

•      Forms

•      Interaction

•      ListenerQueue

•      Recommendations

•      Standard

•      System

•      Views

The RPI Realtime documentation includes details of the roles required to access specific endpoints.

User Management Endpoints

The following Account endpoint are provided to facilitate management of RPI OAuth users:

•      POST /api/Account/Register: creates a new user.

•      GET /api/Account/Users: gets the list of user names.

•      delete /api/Account/Users/{userName}: deletes a user.

•      GET /api/Account/Users/{userName}/Roles: gets the roles assigned to a given user.

•      POST /api/Account/Users/{userName}/Roles: update the roles assigned to a given user.

•      POST /api/Account/Users/ResetPassword: resets the password for a given user.

•      POST /api/Account/ChangePassword: changes the password for the current authenticated user.

Full details of the above are provided at the RPI Realtime online documentation.

RPI OAuth User

RPI itself requires OAuth user credentials, which are used when e.g. publishing content.  The credentials are set using the following client-level system configuration settings:

•      RealtimeAPICredentials

•      RealtimeAPIUseCredentials

Note that the RPI user must be associated with the Interaction role.