Configure ThingWorx as a Resource Server
Configure the resourceServerSettings.json File
This procedure is required when ThingWorx is the Resource Server application.
1. Stop the ThingWorx server.
2. Create the resourceServerSettings.json file in the same directory as sso-settings.json.
The following is a sample structure of the resourceServerSettings.json file:
{
"ResourceServerSettings": {
"accessTokenServicesSettings": {
"clientId": "See information in the table below",
"clientSecret": "See information in the table below",
"chainedGrantType": "password",
"tokenUsernameAttribute": "See information in the table below",
"tokenPublicKeyUrl": "See information in the table below",
"administratorAlias": "See information in the table below",
"administratorInternalName": "Administrator",
"tokenValidationType": "local"
},
"globalScopes": "See information in the table below",
"uriScopes": [
{
"uri": "See information in the table below",
"scopes": "See information in the table below",
"method": "See information in the table below"
}
]
}
3. Ensure that you edit the value of every parameter as per your requirement. Your implementation may vary depends on several factors, such as the security policies of your organization and the CAS for your federation. Use the information in the following tables as guidance to set values for different parameters.
4. Start the ThingWorx server.
ResourceServerSettings.accessTokenServicesSettings Settings
Parameter
Description
Value
clientId
The client Application ID from AD FS portal.
clientSecret
The client application secret from AD FS.
chainedGrantType
Reserved for future use.
password
tokenUsernameAttribute
The claim name that holds the username for the resource request.
Default value: “unique_name”
tokenPublicKeyUrl
The AD FS public key endpoint (used to validate the access tokens).
The value is constructed as follows:
https://<ADFS host FQDN>adfs/discovery/keys
administratorAlias
The administrator username as it is configure in AD FS.
administratorInternalName
The administrator username as it is configured in ThingWorx.
Administrator
tokenValidationType
The property point that the access token (JWT) validation done locally.
local
ResourceServerSettings.globalScopes Settings
Parameter
Description
Value
globalScopes
List of comma-separated global scopes. Includes the minimum set of scopes required to access any resource. If this parameter is missing or empty, THINGWORX is set as a default global scope. Do not leave this parameter empty. If there is no dedicated scope, then set THINGWORX as a value.
"globalScopes": "THINGWORX_APP1,THINGWORX_APP2"
ResourceServerSettings.uriScopes Settings
Parameter
Description
Value
uri
URI pattern. Defines the resource or resource group that requires additional scope(s) to the global scope(s).
Thingworx/Things/** - control all Things
Thingworx/Things/Thing1 – control Thing1
scopes
Comma-delimited list of additional scopes. Only the user that has grants to all listed scopes (including global) is allowed to get resource.
method
Optional. Defines the URI method that the scope will be applied to.
* 
If a method property is not supplied, then it is assumed that the specified URI is protected by the given scope for all of the HTTP method.
Possible values are any methods allowed in REST protocol, such as GET or POST.
If there are scopes defined for an URI, then the global scopes plus the defined URI scopes must be granted to access that resource. If there is more than one URI rule applicable for the requested resource, then all relevant scopes must be granted to access that resource. To avoid access to restricted resources, add URIscope to these REST end points with a scope that does not exist in the Authorization server. In addition to scope protection, ThingWorx has its own user-based permissions that will also be applied on top of the scopes. For example, in a case where User A requests a resource with the correct scopes but does not have permission, the request fails with a 403 error.
Example File
Was this helpful?