Overview
This article describes step-by-step how to configure OAuth 1.0/2.0 with Intermediary in order to protect an Access Point used in a Service Group in Aurea Intermediary (AI).
The following steps assume a local installation of Intermediary, local Intermediary users, and a self-signed SSL certificate. PostMan is used as a test Oauth client.
Solution
Notes:
- OAuth 2.0 is available only for REST. It is not available for SOAP services, because OAuth is a REST standard. This is why it is not considered an Aurea Intermediary limitation.
- If you still try to use OAuth 1.0 with SOAPUI, read the article OAuth 1.0 token request fails with "405 Method not allowed" for a possible workaround.
- Open Aurea Monitor Intermediary console (http://localhost:4400/sst/admin)
-
Create a local AI user (e.g myoauthuser) and add it to a user role ( eg: myOAuthRole)
- user creation URL (Security Configuration -> CX Monitor Users) : http://localhost:4400/sst/admin/securityconfig/users/users_list.jsp
- user roles URL (Roles -> Roles) : http://localhost:4400/sst/admin/usersroles/roles_list.jsp
-
Enable OAuth
- OAuth 1.0 settings URL:http://localhost:4400/sst/admin/securityconfig/oauth10/oauth_settings.jsp
- OAuth 2.0 settings URL: http://localhost:4400/sst/admin/securityconfig/oauth20/oauth_settings.jsp
- Detailed steps for OAuth 2.0:
- Go to Security Configuration -> OAuth 2.0 Settings -> Configure
- Click on Enable OAuth 2.0 Support
- You can leave the default Authorization Endpoint URL, or customize it if you want.
- Click OK.
- Under OAuth 2.0 -> Clients the Add button should be visible now.
-
Create a REST security contract that uses your OAuth 1.0/2.0 config
- Go to Security Contracts -> Access Point Contracts -> Add
- Select REST SecurityPolicy
- Add a name for your Contract Identity (eg: RestOAuthContract), and click Next.
- If you want to Validate Against Schema select the checkbox, otherwise just click Next.
-
On the Credential Requirement screen, click Add and select OAuth 2.0 Token, and click Next.
Important: This is the step where you configure the OAuth 2.0 token collector. If this is not configured later the Scopes cannot be defined for the OAuth Application.
- Select for Credential Type OAuth 2.0 Token, and click Next.
- On the Authentication Service screen on the left select OAuth 2.0 Authenticator, click Add to have it moved to the right side of the list (Supported Authentication Providers), and then click Next.
- You can leave unchecked (blank) the OAuth 2.0 Authorizer, and click Finish.
- Click Done.
-
Configure your REST service group.
- Go to Service Groups -> Service Groups -> Add Service Group
- While adding/configuring the service
- select HTTPS as transport.
- assign the REST security contract created previously.
-
Configure an OAuth Application and configure the permissions for your REST service group.
- Go to OAuth 2.0 (or 1.0) -> Applications -> Add
- Configure Resource Owner Authenticators. For our current test configuration, you can select Native Aurea Monitor Intermediary User Directory.
- Configure the Scopes (select the Service Group you created)
Note: Some customers reported that when using Firefox and trying to select Scopes (clicking on "No Item Selected" in the Operations column) the Options pop-up is blank (it does not list the Service Groups). The same customers reported that Scopes selection works fine in Chrome.
-
Create an OAuth Client to be able to set a key and secret. Later this will be used by your client to request a token.
- Go to OAuth 2.0 (or 1.0) -> Clients -> Add. The direct URLs to access this page are:
- OAuth 1.0: http://localhost:4400/sst/admin/oauth/v10/oauth_client_list.jsp
- OAuth 2.0: http://localhost:4400/sst/admin/oauth/v20/oauth_client_list.jsp
- As OAuth Application use the one created at the previous step.
- Provide the JWT key and secret (Resource Owner UserName and Password)
- Go to OAuth 2.0 (or 1.0) -> Clients -> Add. The direct URLs to access this page are:
-
Get your existing certificate (needed for the next step) or create a self signed certificate for your AI install (e.g. keytool -genkey -keyalg RSA -alias localhost -keystore selfsigned.pfx -validity 3600 -keysize 512 -deststoretype pkcs12)
-
Configure AI ‘https’ transport to use this certificate.
- Intermediary 10.x add the certificate here: http://localhost:4400/appsrv/admin/certificates/cert_list.jsp and then reference this certificate on the https transport: http://localhost:4400/appsrv/admin/listeners/transports_list.jsp (It is assumed that port 4430 is used for HTTPS)
- Intermediary 11.x and later add the certificate here: http://localhost:4040/lgserver/admin/configure/certificate/key_certificate_list.jsp and then reference it on the https transport of your Intermediary profile. e.g. http://localhost:4040/lgserver/admin/services/profile/profile_details.jsp?task=edit&keyID=IntermediaryDefaultProfile
-
Connect to the https URL of your AI e.g. https://localhost:4430/sst
-
Export the public certificate (e.g. from your browser when you connect to the https transport of AI) to a local file (e.g. localhost.cer).
-
If you use a self-signed certificate, add this certificate to the trusted certificate authority (CA) repository of the Java runtime used for your client (e.g. Soapui). (Default password might be changeit ) e.g. keytool -import -trustcacerts -alias localhost -file D:\localhost.cer -keystore C:\soapUI-5.4.0\jre\lib\security\cacerts
For Postman you can disable the SSL certificate verification in the Settings. -
Start Postman (the instruction starting from these steps are applicable to Postman. If you are using a different client to test your OAuth settings, you will need to apply these steps accordingly)
-
Create a request (for URL details refer to the WADL of the OAuth protected access point that you configured).
- Configure OAuth authentication for the REST request (for Postman on the Authorization tab of the request).
- Use the Client ID and Secret that you configured in your OAuth Client config
Sample config:
-
For the URLs you have to make sure you use HTTPS (use any URL for the Redirect URL field e.g. http://www.aurea.com as Postman does not use it)
- For OAuth1:
- https://localhost:4430/sst/oauth10/initiate
- https://localhost:4430/sst/oauth10/authorize
- https://localhost:4430/sst/oauth10/access_token
- For OAuth2:
- https://localhost:4430/sst/oauth20/authorize
- https://localhost:4430/sst/oauth20/token
- Get a New Access Token (in Postman click on "Get New Access Token" on the Authorization tab). A window will pop up and you enter there the AI user and password that you created earlier (e.g.myoauthuser). Select the permissions (scope) that you created to call your REST service. This defines what services can be called by this client (using the token you will get).
-
Now you should have an access token.
-
Send the request to the REST resource.
-
Done. You have verified your OAuth configuration.