I am using Mobilefirst 7.1 to develop a Java HTTP Adapter for my Angular 2 hybrid project to call.
1) Built the Java Adapter that has a few POST & GET procedures
2) Deployed into my local MobileFirst Operations Console
1) Using Angular 2 HTTP requests, call to adapter endpoints and get response successfully
2) No MFP sdk or MFP app will be used
1) [SUCCESS] Get test token from test token endpoint, add ' Authorization ' header in adapter requests, call adapter endpoint and get response successfully : Test in postman
2) [SUCCESS] Java Adapter disabled security ( @OAuthSecurity(enabled=false) ), without test token & without 'Authorization' header, call adapter endpoint and get response successfully
3) [FAILED] When Java Adapter set security annotation @OAuthSecurity(scope="adminRealm") , calling adapter endpoint will get missing_authorization / insufficient_scope in below scenarios
1) Based on my understanding, in actual production, test token should not be used in calling adapter endpoint. Hence if Java Adapter has default security enabled, how to call in Postman successfully without that test token?
2) How do I call the adapter endpoint successfully using Angular 2 HTTP requests? I do not encounter this problem in calling normal REST endpoint using Angular 2 HTTP.
3) Do I need another endpoint to get access token in actual production, instead of that test token endpoint?
The test token that you mentioned is nothing more than a confident client token.
I am not familiar with your use case, but confidential clients are not meant to be used in customer-facing client applications. They are usually meant for server-side applications that need to access a MobileFirst resource. A confidential client will skip all the security you configured.
Customer-facing client applications are supposed to use the MFP client SDKs, and implement challenge handlers.
Now let's assume you really have a good reason to use confidential clients in your application (please share that good reason), follow the instructions in the confidential client tutorial to create a confidential client with exactly the scope you want it to have.
For example, create a confidential client named myAngularApp
with a scope of adminRealm
. Now any client with a valid myAngularApp
token will have access to resources protected by adminRealm
.
One thing was not clear in your testing. What is the difference between test (1) and test (3)? In both of them you wrote that you call the adapter endpoint.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.