I am new to ThingWorx and I am developing an Alexa Skill (Service Provider) which wants the data from ThingWorx (resource provider). I want to Authorize the users who enables this developed skill by asking them to sign up to the thingworx application for the first time and the communication between the Alexa and Thingworx from then on would happen with Access Token and not AppKey or Passwords. For this mechanism to work, ThingWorx should support OAuth2.0. So far I could not find any documentation (except the one describing SSO using PingFederate), which is totally a different scenario. Could anybody give some hints regarding this Alexa-ThingWorx-Access Token scenario.
Thanks in advance :)
ThingWorx uses SAML2.0 for authentication and OAUTH2.0 for delegated authorizations .So yes ThingWorx supports OAUTH2.0 .As per your use case ThingWorx will act as an resource provider but in our SSO topologies ThingWorx generally acts as service provider .But you can design your use case as support for OAUTH2.0 is there ,even in our topologies we use CAS (central authorization server) which is PingFederate .So it depends how you establish a CAS between Alexa and ThingWorx for OAUTH tokens flow for authorization .
For PTC SSO Architecture and support you can also dig in to this official guide for better understanding :
Hello Mr. Narang,
Thanks for the reply.
I have gone through that documentation about SSO in Thingworx. In that documentation, there are certain roles defined for each application i.e, ThingWorx is a Service Provider and Windchill is a resource provider. Windchill can be configured to provide access to the delegated Authorization (requests with Access Tokens). There, the Thingworx requests the Windchill to provide its data on behalf of the user. But the problem here is that the Thingworx wont give access to its resources to a third party services like Alexa / IFTTT, when such services requests a resource using an access token.
Please correct me if my understand is wrong.
Yes ,If you see that ways your understanding is correct .This design will be similar to one of our topology in which ThingWorx is a service provider and SAP is resource provider .So ThingWorx try to access resource from SAP system .Although I think there was something implemented at SAP side also to allow the OAUTH from ThingWorx for authorization .Still when ThingWorx try to access resource from SAP there is additional SAP authorization page .So in similar manner in your use case there must be implementation from PTC ThinWorx R&D side to allow users from external system to access resources .
Hope it helps !!
Exactly. There has to be something on the Thingworx side to authenticate a http request with an Access Token. I have also posted this on the PTC product idea portal. I hope PTC comes up with this functionality soon.