Enabling Authorization Server
Authorization Server is a service located on a service context, and the Access Token generated from the server is sent back to the client from the service context.
If you want to enable the Authorization Server, you are required to take the following steps.
Use the
mzsh topocommand to create a new Service Context, which will be attached tooauth2.mzsh topo set topo://container:<container name>/pico:<sc name> '{ template:mz.standard-sc config.properties { mz.servicehost.natures:"<startup-natures>" mz.servicehost.port.range:"<port range>" } }'See the example below where the service context is named
sc4.Example - Creating the Service Context
mzsh topo set topo://container:main1/pico:sc4 '{ template:mz.standard-sc config.properties { mz.servicehost.natures: oauth2 mz.servicehost.port.range:"6001-6050" } }'Use the
mzsh topocommand to add the authorization service as shown below. You must specify a name for the authorization service, e goauth2-instance.mzsh topo set topo://services:custom/obj:oauth2 '{ oauth2-instance { template: "1/standard/basic" config { jwt { key-id=jwt key-password="DR_DEFAULT_KEY-xxxxx" keystore-location="/path/to/keystore" keystore-password="DR_DEFAULT_KEY-xxxxx" # Only RS256, RS384 and RS512 are supported signature-algorithm=RS256 } management-api { # Management Web API Base URI base-uri="/api" enable-basic-auth=false # HTTP Basic Authentication Password password="DR_DEFAULT_KEY-xxxxx" # HTTP Basic Authentication Username username=mzadmin } sc=sc4 server { # Validity period in seconds for access token generated access-token-expiry=1800 # Endpoint to request for access token access-token-uri="/token" host=localhost port=10000 } tls { enable-tls=false enable-two-way-authentication=false # Configure keystore if using TLS keystore-location="/path/to/keystore" keystore-password="DR_DEFAULT_KEY-xxxxxxx" # Configure truststore if using 2-way authentication truststore-location="/path/to/truststore" truststore-password="DR_DEFAULT_KEY-xxxxxxx" } storage { database { # Only used when storage type is "database" profile-name="<Path.DBProfileName>" } file-based { # Only used when storage type is "file-based" storage-location="/path/to/file/storage" } # The storage type can be either "file-based" or "database" type=file-based } } } }'See the example below, where the authorization service is named
oauth2-instance.Example - Adding the Authorization Server service
mzsh topo set topo://services:custom/obj:oauth2 '{ oauth2-instance { template: "1/standard/basic" config { jwt { key-id=jwt key-password=DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA keystore-location="/home/mzadmin/keystore/auth-server/auth.jks" keystore-password=DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA # Only RS256, RS384 and RS512 are supported signature-algorithm=RS256 } management-api { # Management Web API Base URI base-uri="/api" enable-basic-auth=false # HTTP Basic Authentication Password password="DR_DEFAULT_KEY-A051F3C63B3D70DD3053CE156B9D38DA" # HTTP Basic Authentication Username username=mzadmin } sc=sc4 server { # Validity period in seconds for access token generated access-token-expiry=1800 # Endpoint to request for access token access-token-uri="/token" host=0.0.0.0 port=7000 } tls { enable-tls=false enable-two-way-authentication=false keystore-location="/home/mzadmin/keystore/tls/server.jks" keystore-password=DR_DEFAULT_KEY-6912EB66E4E5FDF6035DBF848195669A # Configure truststore if using 2-way authentication truststore-location="/home/mzadmin/keystore/tls/server.ts.jks" truststore-password=DR_DEFAULT_KEY-FEFEACE4D2E2DD5E78CE6CCC322E2DDC } storage { database { # Only used when storage type is "database" profile-name="Default.DBProfile" poolsize=8 } file-based { # Only used when storage type is "file-based" storage-location="/home/mzadmin/oauth2.storage" } # The storage type can be either "file-based" or "database" type="file-based" } } } }'Startup the SCs and startup the authorization server:
$ mzsh startup platform sc4 $ mzsh mzadmin/dr service start --scope custom