Connections now supports the OAuth 2.0 standard authorization protocol. Third-party applications ("consumer" applications) can use a combination of OAuth and the IBM
Connections API to access IBM
Before a consumer application can access a user's IBM
Connections data, an IBM
Connections administrator must register the application. Then the user must give the application permission. Once a consumer application is registered and has permission it can employ the user's data, and push its own data to a user's status updates. "IBM
Connections data" here means all of the user's data, including photographs, personal profile information, and any content they have added anywhere. For example, a social networking application could display a user's profile picture and personal information. It could also push status updates the user makes in the consumer application to the IBM
Connections activity stream and status updates.
As an IBM
Connections administrator you create and manage a list of registered consumer applications. List membership might depend upon agreements with the consumer application companies. You can use commands to add, edit, view information on, count, and delete consumer applications from the list.
When users open the consumer application they are prompted to give or deny the application permission to access the user's IBM
Connections data. Permission is granted by a token which expires in six months if not renewed by the user. When a permission expires users must visit the consumer application again and go through the authorization process. Users also can remove an application's permission at any time in Connections by clicking Settings
-> Application Access
. This authorization management interface is customizable.
For general information on OAuth, see the OAuth web site at http://oauth.net/
If you wish to add gadgets deployed externally, such as iGoogle gadgets, you must configure locked domains. Locking domains isolates semi-trusted gadgets and prevents them from accessing SSO tokens or via DOM access to the parent page of the gadget iFrame that can be used to forward sensitive data to external sites. For more information on locked domains, refer to Enabling locked domains
Managing the client application listParent topic: Security
Use commands to manage the list of client applications that are allowed to prompt users for access to their IBM
Connections data, using the OAuth authentication protocol.
Installing and enabling OAuth TAI
You need to install and enable the OAuth TAI in IBM Connections.
Registering an OAuth client with a provider
You need to register any OAuth clients with an OAuth provider.
CRE Mashups Proxy Configuration
The Common Rendering Engine (CRE) proxy is a simple set of extensions over the Mashups 3.0 proxy that is specifically designed to solve gadget use cases. IBM
Connections uses a modified proxy plugin configuration that can parse the older Connections Mum Proxy 1.0 format including the Connections extensions.
Configuring OAuth for gadgets
Connections 4.0 release supports an OAuth 2.0 consumer proxy that allows the Homepage component to surface gadgets in an OpenSocial container that can interact with an OAuth 2.0 protected service. In order for this proxy to function, there are a series of new administration commands that are exposed in the News service to define OAuth 2.0 providers, clients, and the associated gadget that will interact with the protected service.