Automate application configuration via scripts

Management of application scopes via scripts uses the Genero Identity Provider (GIP) GetToken and deploy command line tools.

About this task
This procedure allows you to manage scopes on a deployed application on a remote GAS via the console or a script. For example, you need to update the scopes for users accessing an application. For more information on managing roles, see Manage authorization roles.
Important:

This procedure does not apply to web services. There the scopes are provided in the code via the WSScope attribute and can not be changed without recompiling the service application. For more information about WSScope and how it is implemented in a Genero REST web service, see the WSScope topic in the Genero Business Development Language User Guide.

Before you begin
  • If not already done, you need to register a scripting application using the Console App (the New service to service app menu option) in order to generate a CLIENT_ID and SECRET_ID for the application. See step 2.

  • You will also need to have the CLIENT_ID of the secure application you are configuring. You can get this using the ConsoleApp (the Applications > Manage apps menu).

  1. Register a new service application in GIP via Console App, and select deployment and register scope.
    1. Open the Console App.
      The Console App is located at http[s]://host:port/[gas/]ua/r/admin/ConsoleApp.
      Tip:

      Select the Console Application link from the GAS demos page at http[s]://host:port/[gas/]demos.html.

    2. Select Applications > New service to service app.
      The Registering a new service to service application form appears.
    3. In the Info section of the form, complete the fields.
      The Name must match the name of the application configuration file.
      The Client ID and Secret ID are generated for you. They will be required later to access that service app.
    4. In the Scopes section of the form, select the register and deployment scopes.
      Note:

      register and deployment are scopes needed to be able to get tokens and deploy using the console or script.

    5. Click Create.
  2. Use a script to get an access token for the deployment and register service.
    Note:

    The GetToken tool is located in the $FGLDIR/web_utilities/services/gip/bin/gettoken directory.

    Run this command:

    GetToken client_credentials --idp base_URL_of_idp --savetofile token.json --client_id client_id --secret_id secret_id deployment register

    where:
    • base_URL_of_idp is the base URL of the Genero Identity Provider:
      https://host:port[/gas]/ws/r/services/GeneroIdentityProvider
    • client_id is the Client ID generated in the previous step.
    • secret_id is the Secret ID generated in the previous step.
    This command saves the needed access token in a file named token.json. The token will be valid for a period of 10 minutes. After ten minutes, you will need to query for a new access token.
  3. Use a script to get the configuration of the deployed app.
    Note:

    The DeployGar tool is located in your $FGLDIR/web_utilities/services/gip/bin/deploy directory.

    Run the command:

    DeployGar config -f token.json -c config.json get app_client_id GAS_base_URL

    where:
    • The -f option (short option for --tokenfile) gives the path to a file where the access token got from the IdP is saved.
    • The -c option (short option for --config) needs a name for the configuration file that is created.
    • The get option takes the client id of the application you are configuring. For details see the prerequisites section.
    • GAS_base_URL is the URL of the Genero Application Server (GAS)
      https://host:port/gas
    The sample shows the output saved to the configuration file, config.json.
    "client_id": "3410B13A-06EB-4B13-A4F9-FB78B180D9BC",
    	"client_secret": "jnImCC+Qq/6P/EdMtudv+/LRGwgB5tqs",
    	"grant_types": [
    		"authorization_code"
    	],
    	"redirect_uris": [
    		"http://helios:6394/ws/r/services/OpenIDConnectServiceProvider/oauth2callback"
    	],
    	"client_name": "edit",
    	"client_description": "Dynamic registered edit application",
    	"scope": "Role.Admin openid"
  4. Use a script to update the scope in the configuration of the deployed app.
    1. Edit the configuration file (config.json in the example)
      The file is in the JSON format. You can open it with a text editor and edit the line with "scope". For example, you can add a new scope, making sure to follow the JSON format:
      "scope": "Role.Admin openid deployment"
    2. When finished, save your changes.
    3. Run this command to upload your changes:

      DeployGar config -f token.json -c config.json set app_client_id GAS_base_URL

      Where the set option is used to set your configuration changes.
What to do next:

Test the application functions as expected. Check if users from the added scope ("deployment" in our example) can access the application.