IBM Mobilefirst 7.1 - Java HTTP Adapter Calling

Question

I am using Mobilefirst 7.1 to develop a Java HTTP Adapter for my Angular 2 hybrid project to call.

What I have done:

1) Built the Java Adapter that has a few POST & GET procedures

2) Deployed into my local MobileFirst Operations Console

What I want to achieve:

1) Using Angular 2 HTTP requests, call to adapter endpoints and get response successfully

2) No MFP sdk or MFP app will be used

My testing (in Postman Rest Client):

1) [SUCCESS] Get test token from test token endpoint, add ' Authorization ' header in adapter requests, call adapter endpoint and get response successfully : Test in postman

2) [SUCCESS] Java Adapter disabled security ( @OAuthSecurity(enabled=false) ), without test token & without 'Authorization' header, call adapter endpoint and get response successfully

3) [FAILED] When Java Adapter set security annotation @OAuthSecurity(scope="adminRealm") , calling adapter endpoint will get missing_authorization / insufficient_scope in below scenarios

• Getting testtoken & set 'Authorization' header similar to test 1
• Without test token & without setting 'Authorization' header similar to test 2

My questions

1) Based on my understanding, in actual production, test token should not be used in calling adapter endpoint. Hence if Java Adapter has default security enabled, how to call in Postman successfully without that test token?

2) How do I call the adapter endpoint successfully using Angular 2 HTTP requests? I do not encounter this problem in calling normal REST endpoint using Angular 2 HTTP.

3) Do I need another endpoint to get access token in actual production, instead of that test token endpoint?

Answer 1

The test token that you mentioned is nothing more than a confident client token.

I am not familiar with your use case, but confidential clients are not meant to be used in customer-facing client applications. They are usually meant for server-side applications that need to access a MobileFirst resource. A confidential client will skip all the security you configured.

Customer-facing client applications are supposed to use the MFP client SDKs, and implement challenge handlers.

Now let's assume you really have a good reason to use confidential clients in your application (please share that good reason), follow the instructions in the confidential client tutorial to create a confidential client with exactly the scope you want it to have.

For example, create a confidential client named myAngularApp with a scope of adminRealm . Now any client with a valid myAngularApp token will have access to resources protected by adminRealm .

One thing was not clear in your testing. What is the difference between test (1) and test (3)? In both of them you wrote that you call the adapter endpoint.