Authorization Server Properties

This section describes the different properties that are being used in the Authorization Server. These properties are divided into several blocks with each block corresponding to a particular element of the Authorization Server.

The following is an example of parameters that have been configured accordingly to the requirements.

enabled=true

# --------------------------------------------------------------------------------
# Pico Properties
# --------------------------------------------------------------------------------
# Define the type of Pico to run the Authorization Server.
# Supported values:
# - platform: Runs the server in the platform.
# - ec: Runs the server in an EC (requires specifying the EC name).
pico.type=platform

# Specify the name of the EC if pico.type is set to 'ec'.
# This property will be ignored if pico.type is set to 'platform'.
# Example: ec.name=ec1
ec.name=""

# --------------------------------------------------------------------------------
# Storage Properties
# --------------------------------------------------------------------------------
# Only used when storage type is "database". PostgreSQL or Oracle DB only
storage.database.profile-name=<Path.DBProfileName>
storage.database.poolsize=8
# Only used when storage type is "file-based"
storage.file-based.storage-location=/Users/limyizhan/Workspace/mz9/mz-drx/mediationzone/storage/oauth2.storage
# The storage type can be either "file-based" or "database"
storage.type=file-based

# --------------------------------------------------------------------------------
# Server Properties
# --------------------------------------------------------------------------------
# Validity period in seconds for access token generated
server.access-token-expiry=1800

# --------------------------------------------------------------------------------
# Management Api Properties
# --------------------------------------------------------------------------------
management-api.enable-basic-auth=true
# HTTP Basic Authentication Password
management-api.password=DR-4-6912EB66E4E5FDF6035DBF848195669A
# HTTP Basic Authentication Username
management-api.username=mzadmin

# --------------------------------------------------------------------------------
# JSON Web Token (JWT) Properties
# --------------------------------------------------------------------------------
jwt.key-id=selfsigned
jwt.key-password=DR-4-6912EB66E4E5FDF6035DBF848195669A
jwt.keystore-location=/Users/limyizhan/Downloads/keystore_server.jks
jwt.keystore-password=DR-4-6912EB66E4E5FDF6035DBF848195669A
# Only RS256, RS384 and RS512 are supported
jwt.signature-algorithm=RS256

Pico

Parameter Name	Description

Parameter Name

Description

pico.type

Type of pico to be used to run the authorization server. The value can be one of the following:

platform - Authorization Server service located on the platform will be used.
ec - Authorization Server service located on the Execution Container will be used.

Note!

Only one mode, either 'platform' or 'execution container,' can be active at a time. To switch modes, you must first disable the currently active mode before enabling the other. For example, to switch from 'platform' to 'execution container,' you need to disable 'platform' first, then enable 'execution container.' The same applies when switching from 'execution container' to 'platform.

Note!

Restart the relevant containers to ensure the changes are applied.

ec.name

Name of the execution container that will be assigned to run the authorization server (if pico.type ‘ec’ is selected)

Storage

The OAuth2 Service stores provisioned scopes and registered clients into memory or persistent storage.

The storage configuration is used to determine where the data should be stored. For Database type storage, see Authorization Server Storage Database Schema for details on creating the table for Authorization Server.

Parameter Name	Description

Parameter Name	Description
type	Type of storage to be used. The value can be one of the following: file-based (Default) - The data will be stored in a file-based storage. database - The data will be stored in a database. Note! Only PostgreSQL and Oracle database are currently supported.
file-based.storage-location	Location of the file-based storage. Will be created if not found. Only used when storage type is set to "file-based" Note! For fresh installs, the last path in the location should be non-existent as the Authorization server will create it automatically.
database.profile-name	The Database Profile Name in MZ to be used. Only used when storage type is set to "database". The value of the profile name should include the directory name as shown in the desktop UI. Example - Database Profile Name `storage { database { profile-name="REST.PRF_DB" } type="database" }`
database.poolsize	The size of the connection pool, representing the number of database connections that are kept open and ready for use. Only used when stroage type is set to "database".

Server

The server configuration for the OAuth2 Service that will determine where the access token endpoint will be hosted on and the access token expiry.

Parameter Name	Description

Parameter Name	Description
access-token-expiry	Validity period in seconds for access token generated.

Management API

The Management API is used to provision scopes and register clients via HTTP. Clients need to be registered before any access token can be requested.

The Management API configuration is used to configure the base endpoint in the Authorization Server that will be used to host the Management API.

For more information on the function of Management API, see Management API.

Parameter Name	Description

Parameter Name	Description
enable-basic-auth	Enables the HTTP Basic Authentication for Management API. Note! It is recommended to have `enable-basic-auth` set to true. This is so the list of clients and scope will not be accessible to anyone without the proper credentials mentioned below.
username	Username for HTTP Basic Authentication (if enabled).
password	Password for HTTP Basic Authentication (if enabled). Must be encrypted using the `mzsh encryptpassword` command.

JWT

The Authorization Server generates the JSON Web Token (JWT) and requires the JWT to be digitally signed. Currently, only the RSA private/public key pair signing method is supported.

The JWT block is used to configure the keystore and the RSA private/public key pair details.

Parameter Name	Description

Parameter Name	Description
keystore-location	Path to the keystore where the RSA private/public key pair used for JWT is stored. Only Java KeyStore (JKS) format is supported.
keystore-password	Password of the keystore. Must be encrypted using "mzsh encryptpassword" command.
key-id	Alias of the RSA private/public key pair used for JWT.
key-password	Password of the RSA private/public key pair used for JWT.
signature-algorithm	Signature algorithm to be used for JWT signing. Only RS256, RS384 and RS512 are supported.