...
Code Block | ||
---|---|---|
| ||
jwtenabled=false { key-id=jwt key-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790" keystore-location="/path/to/keystore" keystore-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790" # Only RS256, RS384 and RS512 are supported signature-algorithm=RS256 } management-api { # Management Web API Base URI base-uri="/api" enable-basic-auth=false # HTTP Basic Authentication Password password="DR_DEFAULT_KEY-1D2E6A059AF8120841E62C87CFDB3FF4" # HTTP Basic Authentication Username username=mzadmin } sc=sc1 server { # Validity period in seconds for access token generated access-token-expiry=1800 # Endpoint to request for access token access-token-uri="/token" host=localhost port=10000 } storage { database { # -------------------------------------------------------------------------------- # Storage Properties # -------------------------------------------------------------------------------- # Only used when storage type is "database". PostgreSQL or Oracle DB only storage.database.profile-name="<Path.DBProfileName>" } file-based { storage.database.poolsize=8 # Only used when storage type is "file-based" storage.file-based.storage-location="/path/to/file/storage" } # The storage type can be either "file-based" or "database" storage.type=file-based } tls { enable-tls=false enable-two-way-authentication=false # Configure keystore if using TLS keystore-location="/path/to/keystore" keystore-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790" # Configure truststore if using TLS 2-way authentication truststore-location="/path/to/truststore" truststore-password="DR_DEFAULT_KEY-25FB75239B53E487605912194E971790" } |
JWT
The Authorization Server generates JSON Web Token (JWT) based access token and requires the JWT to be digitally signed. Currently, only the RSA private/public key pair signing method is supported.
The JWT block is used to configure the keystore and the RSA private/public key pair details.
...
keystore-location
...
keystore-password
...
key-id
...
key-password
...
signature-algorithm
...
Management API
The Management API is used to provision scopes and register clients via HTTP. Clients need to be registered before any access token can be requested.
The Management API configuration is used to configure the base endpoint in the Authorization Server that will be used to host the Management API.
For more information on the function of the Management API, refer to New Management API
...
base-uri
...
enable-basic-auth
Enable HTTP Basic Authentication for Management API
Info |
---|
It is recommended to have |
...
username
...
password
...
SC
The Authorization Server will be hosted in a Service Context (SC) and the name of the SC needs to be specified.
...
sc
...
Server
The server configuration for the OAuth2 Service that will determine where the access token endpoint will be hosted on and the access token expiry.
...
host
...
port
...
access-token-uri
...
access-token-expiry
...
# --------------------------------------------------------------------------------
# Server Properties
# --------------------------------------------------------------------------------
# Validity period in seconds for access token generated
server.access-token-expiry=1800
# --------------------------------------------------------------------------------
# Management Api Properties
# --------------------------------------------------------------------------------
management-api.enable-basic-auth=true
# HTTP Basic Authentication Password
management-api.password=DR-4-6912EB66E4E5FDF6035DBF848195669A
# HTTP Basic Authentication Username
management-api.username=mzadmin
# --------------------------------------------------------------------------------
# JSON Web Token (JWT) Properties
# --------------------------------------------------------------------------------
jwt.key-id=jwt
jwt.key-password=DR-4-6912EB66E4E5FDF6035DBF848195669A
jwt.keystore-location=/path/to/keystore
jwt.keystore-password=DR-4-6912EB66E4E5FDF6035DBF848195669A
# Only RS256, RS384 and RS512 are supported
jwt.signature-algorithm=RS256 |
Storage
The OAuth2 Service can store provisioned scopes and registered clients into memory or persistent storage.
...
Parameter Name | Description | |||||||
---|---|---|---|---|---|---|---|---|
type | Type of storage to be used. The value can be one of the following: file-based (Default) - The data will be stored in a file-based storage database - The data will be stored in a database.
| |||||||
file-based.storage-location | Location of the file-based storage. Will be created if not found. Only used when storage type is set to "file-based"
| |||||||
database.profile-name | The Database Profile Name in MZ to be used. Only used when storage type is set to "database". The value of the profile name should include the directory name as shown in the desktop UI.
|
TLS
The Authorization Server runs on the HTTP protocol and it is highly recommended that the HTTP protocol is secured using TLS.
...
Server
The server configuration for the OAuth2 Service that will determine where the access token endpoint will be hosted on and the access token expiry.
Parameter Name | Description |
---|---|
access-token-expiry | Validity period in seconds for access token generated |
Management API
The Management API is used to provision scopes and register clients via HTTP. Clients need to be registered before any access token can be requested.
The Management API configuration is used to configure
...
the base endpoint in the Authorization Server that will be used to host the Management API.
For more information on the function of the Management API, refer to New Management API
Parameter Name | Description |
---|---|
base-uri | Base URI to host the Management API |
enable-basic- |
...
auth | Enable HTTP Basic Authentication for Management API
| ||
username | Username for HTTP Basic Authentication (if enabled) | ||
password | Password for HTTP Basic Authentication (if enabled). Must be encrypted using "mzsh encryptpassword" command |
JWT
The Authorization Server generates JSON Web Token (JWT) based access token and requires the JWT to be digitally signed. Currently, only the RSA private/public key pair signing method is supported.
The JWT block is used to configure the keystore and the RSA private/public key pair details.
Parameter Name | Description |
---|---|
keystore-location | Path to the keystore where the RSA private/public key pair used for |
...
JWT is stored. Only Java KeyStore (JKS) format is supported. | |
keystore-password | Password of the keystore. Must be encrypted using "mzsh encryptpassword" command |
...
enable-two-way-authentication
...
truststore-location
...
key-id | Alias of the RSA private/public key pair used for JWT |
key-password | Password of the |
...
RSA private/public key pair used for JWT | |
signature-algorithm | Signature algorithm to be used for JWT sigining. Only RS256, RS384 and RS512 are supported |