I'm working on an Eikon add-on (desktop, thick client) that uses AAA to log in and entitle users. We're transitioning some of our services to the Elektron Data Platform which requires an OAuth2 token. We want to use the iPlanetDirectoryPro cookie/token which was created when the user previously logged in. In reading the API documentation it looks like Implicit Grant is what we want (https://developers.refinitiv.com/article/oauth-grant-types-elektron-data-platform) but I haven't been able to find an example of exactly what I'm trying to do.
The auth/oath2/v1/authorize endpoint will take an iPDP cookie but requires a redirect URL to handle extracting the token. We're a desktop app so we can't provide that. The auth/oath2/v1/token endpoint will return a token but requires a username and password. Is there an endpoint that will take an iPDP cookie and return a token?
I was incorrect about not needing a redirect_uri. It is required and you can use localhost here to capture the 302 HTTP response.
So, your request from desktop app will look like:
GET https://api.refinitiv.com/auth/oauth2/v1/authorize?client_id=****&response_type=token&scope=trapi&state=****&redirect_uri=https://localhost:9999 HTTP/1.1 Host: api.refinitiv.com User-Agent: curl/7.59.0 Accept: */* Cookie: iPlanetDirectoryPro=****and the response message will contain the access token:
HTTP/1.1 302 Found Date: Thu, 31 Oct 2019 17:52:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Location: https://localhost:9999#access_token=****&expires_in=300&token_type=Bearer&scope=****&state=**** X-Amzn-Trace-Id: Root=1-5dbb1f49-13106f15889270e68dcaf913 X-Served-By: region=us-east-1; cid=dcab979a-1ca9-4bf7-8982-21dde3066551 X-Tr-Requestid: 8265728c-23ac-48e0-ab5f-1b4b6400df0b
It should be possible to use Authorization Code or Implicit grant for desktop applications. See an example for a browser based Single Page Application. A similar approach can also be taken with mobile or a desktop app.
The article you linked to contains the following paragraph:
"In any case, with both the Implicit Flow as well as the Authorization Code Flow with no secret, the server must require registration of the redirect URL in order to maintain the security of the flow."
That leads me to believe that I would still need a redirect in order to maintain security. I haven't found any documentation around already having a token/code and exchanging for an OAuth token.
I can't imagine we are the only group dealing with this problem as other Eikon components are also transitioning. It's just a matter of finding the right guidance. :-)
You should talk directly to AAA and STS teams who can advise on the correct approach.
For oauth2/v1/authorize endpoint for Implicit grant redirect_uri is not a required parameter, you can pass in the response_type = token with your IDP cookie to exchange it for an Access token.
I tried it and it works.