OAuth is available as an authentication mode when using many of the SmartObject Service Brokers that ship with K2.
In order to connect to OAuth enabled services with a SmartObject service broker you need to configure an OAuth Resource Type and an OAuth Resource. The set up consists of the following steps:
You may use the K2 Management link in the K2 App (Authentication > OAuth > Resource Types) or the K2 Management site directly to configure the K2 OAuth settings.
Although OAuth2 is an industry standard authorization framework, each OAuth2 implementation can vary slightly in regard to the parameters used during the token flows. For this reason, the configuration you must do varies between OAuth-based services. The first step is to determine what parameters and values you need to pass to the external OAuth resource for (1) authorization, also known as the access token, (2) token requests, and (3) refresh requests.
For example, the Azure Active Directory OAuth2 implementation uses an encrypted ‘cliend_id’ parameter for Authorization requests, Token requests, and Refresh requests. It also uses the following parameters:
These parameters make up the OAuth resource type configuration, while specific values for the parameters make up the resource configuration.
As another example, SalesForce's OAuth2 implementation uses the following parameters: client_secret, redirect_uri, client_id, response_type and grant_type. These properties make up the external OAuth resource configuration, and to obtain these parameters and the values required for the parameters, you must configure Authorization in your SalesForce environment.
Most services describe at least two stages for successful authorization:
Many services also expire tokens after a set amount of time and accept a refresh request to obtain a new token.
For most OAuth enabled services, like LinkedIn or Twitter, you first need to create an application on their platform, which is the integration entry point. As a part of creating the application, you receive an application ID and a client secret along with the endpoint URI. Once you have the parameters and the application configuration values, you are ready to create the K2 OAuth Resource Type and OAuth Resource.
If your K2 installation does not already contain a Resource Type for the service you want to connect to, you must create a new Resource Type (think of the Resource Type as a container for the parameters required to connect to a particular service). To get to the K2 OAuth Resource Type configuration page:
(Extensions are used to handle any scenarios that are not covered by the OAuth2 specification. SharePoint, for example, uses a Server-to-Server, certificate-based token in on-premises installations which is not part of the OAuth2 specification and therefore an extension is used for additional processing in this scenario.)
Once you have added the Resource Type, you can add the parameters to the Resource Type. These definitions create the communication strings that are sent to and received from the external OAuth URI. You add the parameters and their usage configurations in the Resource Type Parameters table. You do not provide values at this point, such as for client_id or client_secret, just the parameter names. The Resource Type defines the default settings and values used by all OAuth resources of this type. You specify your client- or application-specific values when you create the new OAuth Resource.
Repeat these steps until all OAuth parameters are defined.
Once all of the required OAuth communication string parameters have been added to the OAuth Resource Type definition, you can create and configure the OAuth Resource.
In the OAuth Resources table that appears when you select your new resource, configure the Resource Parameters for the resource.
Once you've completed the OAuth Resource and its parameter values, the final step is to link the OAuth Resource with the external OAuth service using a SmartObject Service Instance. This ties the line-of-business SmartObjects to the service, which allows K2 and the external OAuth service to securely communicate.
You can now create SmartObjects, for use in forms and workflows, for the service objects found when you created the instance. SmartObject methods execute requests to the service and initiate the OAuth token flow to authenticate, authorize, and interact with the service.