Main program code for access to secure service

Code to get the access token for a secure Web service.

To access a secure Web service, the user needs to get an access token that is provided by the Identity Provider securing the Web service. The OAuthAPI.init function can be used for this purpose if needed.

  1. Set your app to use delegation in its application configuration file.
    This step is mandatory. 
    <APPLICATION Parent="defaultwa" ...>
  <EXECUTION>
   ...
    <DELEGATE service="services/OpenIDConnectServiceProvider">
       <IDP>IdP_URL</IDP>
       <CLIENT_PUBLIC_ID>XXXXXXXX</CLIENT_PUBLIC_ID>
       <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID> 
    </DELEGATE>
   ...
  </EXECUTION>
</APPLICATION>
    Where:
    • The OpenIDConnectServiceProvider is the delegation REST Web service in the $FGLDIR.

    • The IdP_URL can have an entry of localhost when everything runs on the same Genero Application Server. Otherwise, you must provide the Genero Identity Provider (GIP) URL. For example: http://othermachine.com:6394/ws/r/services/GeneroIdentityProvider

    • The OAuth access tokens for CLIENT_PUBLIC_ID and CLIENT_SECRET_ID are those you get from the IdP.

      For further information, see the Configure delegation for application or service page in the Genero Application Server User Guide.

  2. In the MAIN/END MAIN clause of your client app, call the OAuthAPI.init function to get the OAuth access tokens at runtime. This must be done before calling any other service functions.
    For example:
    IMPORT FGL OAuthAPI

DEFINE my_user_id INTEGER
MAIN
  # ...
   
  # Init OAuthAPI
  IF NOT OAuthAPI.init(5, "AF350CBC-8801-4DFB-9A78-A95B25BB32AF", "8JEq3HBfxrmj/8vMP66iaRQnGrWVyjqr") THEN
    DISPLAY "Error: unable to initialize OAuth"
    EXIT PROGRAM 1
  ELSE
    LET my_user_id = OAuthAPI.getIDSubject
  END IF

  # ... 
  
END MAIN
    You can get user information coming from the IdP from variables with the prefix OIDC_. For example, 
    LET userEmail = fgl_getenv("OIDC_EMAIL")
    For an example of OAuthAPI calls, see the consoleApp source in FGLDIR\web_utilities\services\gip\src\console.

    When using a third-party IdP, if it supports OpenID Connect, then the OAuthAPI can be used the same as for Genero Identity Provider. For further information, see the OpenID Connect SSO pages in the Genero Application Server User Guide.