2.1 Enabling Authorization Server

Authorization Server is a service located on a service context, and the Access Token generated from the server is sent back to the client from the service context.

If you want to enable the Authorization Server, you are required to take the following steps.

  1. Use the mzsh topo command to create a new Service Context, which will be attached to oauth2.

    mzsh topo set topo://container:<container name>/pico:<sc name> '{
           template:mz.standard-sc
             config.properties {
             mz.servicehost.natures:"<startup-natures>"
             mz.servicehost.port.range:"<port range>"
    	   }
    }'

    See the example below where the service context is named sc4.

    Example - Creating the Service Context

    mzsh topo set topo://container:main1/pico:sc4 '{
           template:mz.standard-sc
             config.properties {
             mz.servicehost.natures: oauth2
    		 mz.servicehost.port.range:"6001-6050"
           }
    }'
  2. Use the mzsh topo command to add the authorization service as shown below.  You must specify a name for the authorization service, e g oauth2-instance.

    mzsh topo set topo://services:custom/obj:oauth2 '{    
           oauth2-instance {
            template: "1/standard/basic"
            config {
                jwt {
                    key-id=jwt
                    key-password="DR_DEFAULT_KEY-xxxxx"
                    keystore-location="/path/to/keystore"
                    keystore-password="DR_DEFAULT_KEY-xxxxx"
    				# Only RS256, RS384 and RS512 are supported
    				signature-algorithm=RS256
                }
    			management-api {
        			# Management Web API Base URI
        			base-uri="/api"
        			enable-basic-auth=false
        			# HTTP Basic Authentication Password
        			password="DR_DEFAULT_KEY-xxxxx"
        			# HTTP Basic Authentication Username
        			username=mzadmin
    			}
                sc=sc4
                server {
                    # Validity period in seconds for access token generated
                    access-token-expiry=1800
                    # Endpoint to request for access token
                    access-token-uri="/token"
                    host=localhost
                    port=10000
                }
                tls {
                    enable-tls=false
                    enable-two-way-authentication=false
    				# Configure keystore if using TLS
                    keystore-location="/path/to/keystore"
                    keystore-password="DR_DEFAULT_KEY-xxxxxxx"
                    # Configure truststore if using 2-way authentication
                    truststore-location="/path/to/truststore"
                    truststore-password="DR_DEFAULT_KEY-xxxxxxx"
                }
                storage {
                    database {
                        # Only used when storage type is "database"
                        profile-name="<Path.DBProfileName>"
                    }
                    file-based {
                        # Only used when storage type is "file-based"
                        storage-location="/path/to/file/storage"
                    }
                    # The storage type can be either "file-based" or "database"
                    type=file-based
                }
            }
          }
    }'

    See the example below, where the authorization service is named oauth2-instance.

    Example - Adding the Authorization Server service

    mzsh topo set topo://services:custom/obj:oauth2 '{    
           oauth2-instance {
            template: "1/standard/basic"
            config {
                jwt {
                    key-id=jwt
                    key-password=DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA
                    keystore-location="/home/mzadmin/keystore/auth-server/auth.jks"
                    keystore-password=DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA
    				# Only RS256, RS384 and RS512 are supported
    				signature-algorithm=RS256 
    			}
    			management-api {
        			# Management Web API Base URI
        			base-uri="/api"
        			enable-basic-auth=false
        			# HTTP Basic Authentication Password
        			password="DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA"
        			# HTTP Basic Authentication Username
        			username=mzadmin
    			}
                sc=sc4
    			server {
                    # Validity period in seconds for access token generated
                    access-token-expiry=1800
                    # Endpoint to request for access token
                    access-token-uri="/token"
                    host=0.0.0.0
                    port=7000
                }
     			tls {
                    enable-tls=false
                    enable-two-way-authentication=false
                    keystore-location="/home/mzadmin/keystore/tls/server.jks"
                    keystore-password=DR_DEFAULT_KEY-6912EB66E4E5FDF6035DBF848195669A
                    # Configure truststore if using 2-way authentication
                    truststore-location="/home/mzadmin/keystore/tls/server.ts.jks"
                    truststore-password=DR_DEFAULT_KEY-FEFEACE4D2E2DD5E78CE6CCC322E2DDC
                }
                storage {
                    database {
                        # Only used when storage type is "database"
                        profile-name="Default.DBProfile"
                        poolsize=8
                    }
                    file-based {
                        # Only used when storage type is "file-based"
                        storage-location="/home/mzadmin/oauth2.storage"
                    }
                    # The storage type can be either "file-based" or "database"
                    type="file-based"
                }
            }
          }
    }'
  3. Startup the SCs and startup the authorization server:

    $ mzsh startup platform sc4
    $ mzsh service start --scope custom