2.1 Enabling Authorization Server

Owned by Jenni Wallin
Mar 16, 2022
7 min read

Authorization Server is a service located on a service context, and the Access Token generated from the server is sent back to the client from the service context.

If you want to enable the Authorization Server, you are required to take the following steps.

  1. Use the mzsh topo command to create a new Service Context, which will be attached to oauth2.

    mzsh topo set topo://container:<container name>/pico:<sc name> '{
       template:mz.standard-sc
         config.properties {
         mz.servicehost.natures:"<startup-natures>"
         mz.servicehost.port.range:"<port range>"
	   }
}'

    See the example below where the service context is named sc4.

    Example - Creating the Service Context

    mzsh topo set topo://container:main1/pico:sc4 '{
       template:mz.standard-sc
         config.properties {
         mz.servicehost.natures: oauth2
		 mz.servicehost.port.range:"6001-6050"
       }
}'

  2. Use the mzsh topo command to add the authorization service as shown below.  You must specify a name for the authorization service, e g oauth2-instance.

    mzsh topo set topo://services:custom/obj:oauth2 '{    
       oauth2-instance {
        template: "1/standard/basic"
        config {
            jwt {
                key-id=jwt
                key-password="DR_DEFAULT_KEY-xxxxx"
                keystore-location="/path/to/keystore"
                keystore-password="DR_DEFAULT_KEY-xxxxx"
				# Only RS256, RS384 and RS512 are supported
				signature-algorithm=RS256
            }
			management-api {
    			# Management Web API Base URI
    			base-uri="/api"
    			enable-basic-auth=false
    			# HTTP Basic Authentication Password
    			password="DR_DEFAULT_KEY-xxxxx"
    			# HTTP Basic Authentication Username
    			username=mzadmin
			}
            sc=sc4
            server {
                # Validity period in seconds for access token generated
                access-token-expiry=1800
                # Endpoint to request for access token
                access-token-uri="/token"
                host=localhost
                port=10000
            }
            tls {
                enable-tls=false
                enable-two-way-authentication=false
				# Configure keystore if using TLS
                keystore-location="/path/to/keystore"
                keystore-password="DR_DEFAULT_KEY-xxxxxxx"
                # Configure truststore if using 2-way authentication
                truststore-location="/path/to/truststore"
                truststore-password="DR_DEFAULT_KEY-xxxxxxx"
            }
            storage {
                database {
                    # Only used when storage type is "database"
                    profile-name="<Path.DBProfileName>"
                }
                file-based {
                    # Only used when storage type is "file-based"
                    storage-location="/path/to/file/storage"
                }
                # The storage type can be either "file-based" or "database"
                type=file-based
            }
        }
      }
}'

    See the example below, where the authorization service is named oauth2-instance.

    Example - Adding the Authorization Server service

    mzsh topo set topo://services:custom/obj:oauth2 '{    
       oauth2-instance {
        template: "1/standard/basic"
        config {
            jwt {
                key-id=jwt
                key-password=DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA
                keystore-location="/home/mzadmin/keystore/auth-server/auth.jks"
                keystore-password=DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA
				# Only RS256, RS384 and RS512 are supported
				signature-algorithm=RS256 
			}
			management-api {
    			# Management Web API Base URI
    			base-uri="/api"
    			enable-basic-auth=false
    			# HTTP Basic Authentication Password
    			password="DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA"
    			# HTTP Basic Authentication Username
    			username=mzadmin
			}
            sc=sc4
			server {
                # Validity period in seconds for access token generated
                access-token-expiry=1800
                # Endpoint to request for access token
                access-token-uri="/token"
                host=0.0.0.0
                port=7000
            }
 			tls {
                enable-tls=false
                enable-two-way-authentication=false
                keystore-location="/home/mzadmin/keystore/tls/server.jks"
                keystore-password=DR_DEFAULT_KEY-6912EB66E4E5FDF6035DBF848195669A
                # Configure truststore if using 2-way authentication
                truststore-location="/home/mzadmin/keystore/tls/server.ts.jks"
                truststore-password=DR_DEFAULT_KEY-FEFEACE4D2E2DD5E78CE6CCC322E2DDC
            }
            storage {
                database {
                    # Only used when storage type is "database"
                    profile-name="Default.DBProfile"
                    poolsize=8
                }
                file-based {
                    # Only used when storage type is "file-based"
                    storage-location="/home/mzadmin/oauth2.storage"
                }
                # The storage type can be either "file-based" or "database"
                type="file-based"
            }
        }
      }
}'

  3. Startup the SCs and startup the authorization server:

    $ mzsh startup platform sc4
$ mzsh service start --scope custom