Allowing third-party applications access to data via the OAuth2 protocol

Allow third-party applications to ask your IBM® Connections users for access to their data.

IBM Connections now supports the OAuth 2.0 standard authorization protocol. Third-party applications ("consumer" applications) can use a combination of OAuth and the IBM Connections API to access IBM Connections data.

Before a consumer application can access a user's IBM Connections data, an IBM Connections administrator must register the application. Then the user must give the application permission. Once a consumer application is registered and has permission it can employ the user's data, and push its own data to a user's status updates. "IBM Connections data" here means all of the user's data, including photographs, personal profile information, and any content they have added anywhere. For example, a social networking application could display a user's profile picture and personal information. It could also push status updates the user makes in the consumer application to the IBM Connections activity stream and status updates.

As an IBM Connections administrator you create and manage a list of registered consumer applications. List membership might depend upon agreements with the consumer application companies. You can use commands to add, edit, view information on, count, and delete consumer applications from the list.

When users open the consumer application they are prompted to give or deny the application permission to access the user's IBM Connections data. Permission is granted by a token which expires in six months if not renewed by the user. When a permission expires users must visit the consumer application again and go through the authorization process. Users also can remove an application's permission at any time in Connections by clicking Settings > Application Access. This authorization management interface is customizable.

Note: If you wish to add gadgets deployed externally, such as iGoogle gadgets, you must configure locked domains. Locking domains isolates semi-trusted gadgets and prevents them from accessing SSO tokens or via DOM access to the parent page of the gadget iFrame that can be used to forward sensitive data to external sites. For more information on locked domains, refer to Enabling locked domains.

To connect an OAuth 2 client with IBM Connections using IBM Connections APIs with the Open Authentication 2 protocol the supported flow is as follows:

Authorization code grant flow.

Authorization endpoint URL:

https://www.connections.example.com/oauth2/endpoint/connectionsProvider/authorize

Token endpoint URL:

https://www.connections.example.com/oauth2/endpoint/connectionsProvider/token

Note: The /oauth2 context root is configurable as is any other Connections application via the IBM console. The change should be applied to the LotusConnections-config.xml in the "oauthprovider" service as follows:
<sloc:serviceReference serviceName="oauthprovider"
enabled="true" 
ssl_enabled="true" 
bootstrapHost="admin_replace"
bootstrapPort="admin_replace"
clusterName="">
<sloc:href>
<sloc:hrefPathPrefix>/oauth2</sloc:hrefPathPrefix>
<sloc:static href="http://www.connections.example.com" ssl_href="https://www.connections.example.com"/>
<sloc:interService href="https://www.connections.example.com"/>
</sloc:href>
</sloc:serviceReference>