This section describes the different properties that are in use in the Authorization Server. These properties are divided into several blocks with each block corresponding to a particular element of the Authorization Server.
Authorization Server template.conf
# Only RS256, RS384 and RS512 are supported
# Management Web API Base URI
# HTTP Basic Authentication Password
# HTTP Basic Authentication Username
# Validity period in seconds for access token generated
# Endpoint to request for access token
# Only used when storage type is "database". PostgreSQL or Oracle DB only
# Only used when storage type is "file-based"
# The storage type can be either "file-based" or "database"
# Configure keystore if using TLS
# Configure truststore if using TLS 2-way authentication
The Authorization Server generates JSON Web Token (JWT) based access token and requires the JWT to be digitally signed. Currently, only the RSA private/public key pair signing method is supported.
The JWT block is used to configure the keystore and the RSA private/public key pair details.
Path to the keystore where the RSA private/public key pair used for JWT is stored. Only Java KeyStore (JKS) format is supported.
Password of the keystore. Must be encrypted using "mzsh encryptpassword" command
Alias of the RSA private/public key pair used for JWT
Password of the RSA private/public key pair used for JWT
Signature algorithm to be used for JWT sigining. Only RS256, RS384 and RS512 are supported
The Management API is used to provision scopes and register clients via HTTP. Clients need to be registered before any access token can be requested.
The Management API configuration is used to configure the base endpoint in the Authorization Server that will be used to host the Management API.
For more information on the function of the Management API, refer to Management API
Base URI to host the Management API
Enable HTTP Basic Authentication for Management API
It is recommended to have enable-basic-auth set to true. This is so the list of clients and scope will not be accessible to anyone without the proper credentials mentioned below.
Username for HTTP Basic Authentication (if enabled)
Password for HTTP Basic Authentication (if enabled). Must be encrypted using "mzsh encryptpassword" command
The Authorization Server will be hosted in a Service Context (SC) and the name of the SC needs to be specified.
Name of the Service Context (SC) that will be hosting the Authorization Server.
The server configuration for the OAuth2 Service that will determine where the access token endpoint will be hosted on and the access token expiry.
Hostname or IP address to host the OAuth2 Service. This should match with the SC hostname or IP address
Port number to host the OAuth2 Service
URI for the access token endpoint. Access token will be requested here
Validity period in seconds for access token generated
The OAuth2 Service can store provisioned scopes and registered clients into memory or persistent storage.
The storage configuration is used to determine where the data should be stored. For Database type storage, please see Authorization Server Storage Database Schema for more details on how to create the table for the Authorization server.
Type of storage to be used. The value can be one of the following:
file-based (Default) - The data will be stored in a file-based storage
database - The data will be stored in a database.
Only PostgreSQL and Oracle database are currently supported.
Location of the file-based storage. Will be created if not found. Only used when storage type is set to "file-based"
For fresh installs, the last path in the location should be non-existent as the Authorization server will create it automatically.
The Database Profile Name in MZ to be used. Only used when storage type is set to "database". The value of the profile name should include the directory name as shown in the desktop UI.