Configure an Authorization Server
Overview
An Authorization Server entry must exist within the database of RSA-OIDC. The RSA serves an an OAuth Client to the Authorization Server. This Authorization Server must be the same from which the service provider receives the bearer tokens representing user consent to allow the SP to have access to the user's resources. The RSA will use this Authorization Server to negotiate a PAT (an OAuth access token with the scope "uma_protection". It is used by a Resource Server to access an Authorization Server's protection and introspection APIs).
Request Attributes
The request attributes shown here are for the request to Register Authorization Server at the RSA.
JSON-API type: oauth-provider
| Parameter | Description | Example value | Required |
|---|---|---|---|
| name | A human-readable name for the OAuth Provider. | IDENTOS Authorization Server | Yes |
| issuerUri | The base URL of the OAuth Provider. | {{AS_URI}} | Yes |
| clientId | This value is used to identify the RSA-OIDC to the OAuth Provider. | rsa-to-as-client-id | Yes |
| clientSecret | A secret the RSA-OIDC uses with the OAuth Provider. | rsa-to-as-client-secret | Yes |
| clientAuthenticationMethod | The authentication method the RSA-OIDC uses with the OAuth Provider. If left null, defaults to CLIENT_SECRET_BASIC | private_key_jwt | No |
| defaultScopes | Default scopes to include in requests to the OAuth Provider | uma_protection | No |
| defaultPrompt | Default prompt to include in requests to the OAuth Provider | null | No |
| additionalRequestParams | Additional parameters to include in requests to the OAuth Provider | {} | No |
| metaDataRaw | Metadata can be provided in raw text format using this field | null | No |
Sample Requests
Register RSA at the Authorization Server
Entries must be made into the Authorization Server's database representing the RSA's OAuth Client relationship with it. An example request through the Authorization Server's Admin API is shown below. Refer to 'Configuring a Client via API' to learn more about registering OAuth Clients at the Authorization Server.
If 'private_key_jwt' is the chosen authentication method for the RSA as an OAuth Client, the corresponding entry at the Authorization Server DB must also use the same authentication method. A JWKS URI of the RSA must also be provided to the Authorization Server. In the RSA's application config, the fpx.oidc.provider.jwks_endpoint property captures the path that must be appended to the base URL of the RSA to serve as this JWKS URI value at the Authorization Server database.
curl -X PATCH '{{AS_ADMIN_URI}}' \
--header 'Accept: */*' \
--header 'Content-Type: application/vnd.api+json; ext=jsonpatch' \
--header 'Authorization: {{AS_ADMIN_STATIC_TOKEN}}' \
--header 'ApiVersion: {{AS_ADMIN_VERSION}}' \
--data-raw '[
{
"op": "add",
"path": "/oauth-client-metadata",
"value": {
"id": 5,
"type": "oauth-client-metadata",
"attributes": {
"issueUri": "{{RSA_URI}}",
"clientAuthenticationType": "private_key_jwt",
"clientType": "CONFIDENTIAL",
"grantTypes": "refresh_token client_credentials authorization_code",
"jwksRaw": null,
"jwksUri": "{{RSA_URI}}/jwks",
"scopes": "uma_protection",
"clientSecret": "rsa-to-as-client-secret"
}
}
},
{
"op": "add",
"path": "/oauth-client",
"value": {
"type": "oauth-client",
"id": 5,
"attributes": {
"clientId": "rsa-to-as-client-id"
},
"relationships": {
"oAuthClientMetaData": {
"data": {
"type": "oauth-client-metadata",
"id": 5
}
}
}
}
},
{
"op": "add",
"path": "/resource-server",
"value": {
"type": "resource-server",
"id": 3,
"attributes": {
"baseUrl": "{{RSA_URI}}",
"name": "RSA OIDC Alpha",
"resourceServerId": "rsa-oidc-alpha"
},
"relationships": {
"oAuthClient": {
"data": {
"id": 5,
"type": "oauth-client"
}
}
}
}
}
]'
Register Authorization Server at the RSA
The Authorization Server must also be registered at the RSA as an OAuth Provider. The following request to the RSA Admin API demonstrates this.
curl -X POST '{{RSA_ADMIN_URI}}/oauth-provider' \
--header 'Accept: */*' \
--header 'Content-Type: application/vnd.api+json' \
--header 'ApiVersion: {{RSA_ADMIN_VERSION}}' \
--header 'Authorization: {{RSA_ADMIN_STATIC_TOKEN}}' \
--data-raw '{
"data": {
"type": "oauth-provider",
"id": 2,
"attributes": {
"name": "IDENTOS Authorization Server",
"issuerUri": "{{AS_URI}}",
"clientId": "rsa-to-as-client-id",
"clientSecret": "rsa-to-as-client-secret",
"clientAuthenticationMethod": "private_key_jwt",
"defaultScopes": "uma_protection",
"defaultPrompt": null,
"additionalRequestParams": {},
"metaDataRaw": null
}
}
}'
Register Resource at the Authorization Server
curl --location --request PATCH 'admin.authserver.as-3464.dev.identos.ca/json-api' \
--header 'Content-Type: application/vnd.api+json; ext=jsonpatch' \
--header 'Authorization: c94856c7-50ac-4fd3-b395-89af4c7d7bbc' \
--header 'ApiVersion: v1.0' \
--header 'Accept-Language: en' \
--data-raw '[
{
"op": "add",
"path": "/resource",
"value": {
"type": "resource",
"id": 2,
"attributes": {
"maxPermissionDuration": 3000000000,
"resourceId": "rsa-userinfo",
"resourceLocation": "https://rsa-oidc.as-3464.dev.identos.ca/api/userinfo"
},
"relationships": {
"allowedScopes": {
"data": [
{
"id": 1,
"type": "scope"
},
{
"id": 2,
"type": "scope"
}
]
},
"resourceDefinition": {
"data": {
"id": 1,
"type": "resource-definition"
}
},
"resourceServer": {
"data": {
"id": 3,
"type": "resource-server"
}
}
}
}
}
]'