Using Mobile Foundation Server to authenticate external resources
Overview
Protected resources can run on the PMF (such as Adapters), or on external servers. You can protect resources on external servers by using the validation modules that are provided with PMF.
In this tutorial, you learn how to protect an external resource server by implementing a filter that validates a PMF access token.
You can implement such protection either entirely with custom code, or by using one of the PMF helper libraries that encapsulate part of the flow.
Prerequesite:
- Understanding of the PMF security framework.
Flow
The PMF has a component called the introspection endpoint which is capable of validating and extracting data from a PMF access token. This introspection endpoint is available via a REST API.
- An application with the PMF client SDK makes a resource request call (or any HTTP request) to a protected resource with or without the
Authorizationheader (client access token). - To communicate with the introspection endpoint, the filter on the resource server needs to obtain a separate token for itself (see the confidential client section).
- The filter on the resource server extracts the client access token from step 1, and sends it to the introspection endpoint for validation.
- If the PMF Authorization Server determined that the token is invalid (or doesn’t exist), the resource server redirects the client to obtain a new token for the required scope. This part happens internally when the PMF Client SDK is used.
Confidential Client
Because the introspection endpoint is an internal resource protected by the scope authorization.introspect, the resource server needs to obtain a separate token in order to send any data to it. If you attempt to make a request to the introspection endpoint without an authorization header, a 401 response is returned.
For the external resource server to be able to request a token for the authorization.introspect scope, the server needs to be registered as a confidential client via the PMF Operations Console.
Learn more in the Confidential Clients tutorial.
In the PMF Operations Console, under Settings → Confidential Clients, add a new entry. Choose a client Secret and API secret value. Make sure to set authorization.introspect as the Allowed Scope.
Implementations
This flow can be implemented manually by making HTTP requests directly to the various REST APIs (see documentation).
PMF also provides libraries to help you achieve this on WebSphere servers by using the provided Trust Association Interceptor, or any other Java-based filter using the provided Java Token Validator: