Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Like all SOAJS microservices, OAuth microservice has different layers of configuration. Local configuration, tenant-level configuration if the microservice is a multitenant one, and registry configuration. Moreover, OAuth can have a custom separate database for tokens and users. 


Configuration Layers

1 - Tenant configuration

Provisioning is a configuration that all SOAJS micro-services can acquire once you turn on multi-tenant for them. Once a service becomes multi-tenant, you can provide custom tenant configuration to it at run time. If you have 2 tenants that can access the oAuth service, then the provisioned configuration for each tenant will be loaded once that tenant invokes an API in oAuth.

The below configuration is supported by the oAuth micro-service and can be configured & changed at the tenant level under the Manage Pillar.

Code Block
languagejs
titleConfiguration Sample
linenumberstrue
collapsetrue
{
    _id: "%tenant_id%",
    ...
    oauth: {
        secret: "tenant_oauth_secret",
        pin: {
            "%product_name%": {
                enabled: true
            }
        },
        disabled: 0, //OAuth enabled or not
        type: 2,//OAuth type
        loginMode: "%login_mode%"
    },
    ....
}

Follow the Configuration Steps to add and update tenant configuration for OAuth


You can change the values of the below variables to customize secret, type, and loginMode


NameTypeDescriptionExample
secretStringOAuth secret variable"secret"
typeNumberOAuth type1 or 2
loginModeStringOauth Login ModeURAC or miniURAC




2 - Environment configuration (registry)

This configuration is on the environment level. OAuth configuration can be added from SOAJS Console.

Code Block
languagejs
titleConfiguration Sample
linenumberstrue
collapsetrue
{
	_id: "%environment_id%",
	services: {
		...
		config: {
			...
			oauth: {
				grants: [
					"password",
					"refresh_token"
				],
				debug: false,
				getUserFromToken: true,
				accessTokenLifetime: 7200),
				refreshTokenLifetime: 1209600
			},
			...
		}
	}
}

Follow the Configuration Steps to add and update environment configuration for OAuth


You can change the values of the below variables to customize grants, debug, getUserFromToken, accessTokenLifetime, and refreshTokenLifetime


NameTypeDescriptionExample
grantsArrayGrant types["password"]
debugBooleanDebugfalse or true
getUserFromTokenBooleanallow to get information about user directly from tokenfalse or true
accessTokenLifetimeNumberaccess token lifetime7200
refreshTokenLifetimeNumberrefresh token lifetime1209600




3 - Custom registry configuration

SOAJS oAuth supports pin login.

So what is is pin login? think of it as a fast way to login by entering a code without the need to enter the complete login information each time aka (email and password).

When is this useful? this is useful in many cases, for example in the hospitality business you might want to turn on pin login so employee can easily key in a code and quickly access the system.

Can i control the code length and type? yes check out SOAJS URAC pin configuration 

Wrap the pin login API

If you decide not to consume the SOAJS oAuth pin API directly and add a wrapper around it, you will need to configure the wrapper at the custom registry level:

create under custom registry an entry with the following label: oauth

Code Block
languagejs
titlepin wrapper
{
...
	pinWrapper: {
		"servicename": "myauthentieator",
		"apiname": "/pin"
	}
...
}

Pin Login Whitelist APIs

pin login is protected by accessToken which means a user with the right to trigger pin login must login first (we call this first login). Once logged in, the accessToken from the first login is used to trigger a pin login. The accessToken from the first login can only be used to request pin login. Once pin login is request and pin code is valid, an accessToken is provided and that accessToken must be used to access the APIs.

SOAJS provides the ability to whitelist APIs that can be requested by using the first login accessToken.

create under custom registry an entry with the following label: oauth

Code Block
languagejs
titlepin whitelist
{
...
	pinWhitelist: {
		"servicename": {
			"method": {
				"apis": ["api1, api2", ...],
				"regex": ["for api with path param use regex", "/device/:id", ...]
			},
			...
		},
		"shoppingcart": {
			"get": {
				"apis": ["/cart", "/items"]
			}, 
			"post": {
				"apis": ["cart/item"]
			}
			...
		}
		...
	}
...
}


Note
titleno Pin Login

Please note that if pin Login is not turned on, a user will  login by just providing an email and a password as credentials. if the credentials are correct an accessToken is provided and that accessTOken must be used to access all the protect APIs. It is an exact behavior like a normal oauth2.0 service

Roaming 

SOAJS oAuth provide the ability to roam between any environment and a soajs environment. This is very helpful if you want to create an environment and you want to offset all kind of authentication and authorization to SOAJS oAuth.

All what you have to do is the following:

1- add under custom registry an entry with the following label: oauth

Code Block
languagejs
titleroaming ip whitelist
{
...
	"roaming": {
		"services": {
			"servicename": {
				"whitelistips": ["127.0.0.1"]
			}
		}
	}
...
}

2- call the service but add to the header of your request "soajsroaming" to be true

Valid Response

Code Block
languagejs
titleValid Response Sample
linenumberstrue
collapsetrue
{"result":true,"data":true}

Invalid Response

Code Block
languagejs
titleError Response Sample
linenumberstrue
collapsetrue
{"result":false,"errors":{"codes":[165],"details":[{"code":165,"message":"Roaming: Unable to login roamed user!"}]}}


Note
titlesoajsinjectobj

If the response is a valid one, the soajsinjectobj will be available in the header and by using soajs middleware you will be able to access its information from the request context



4 - Separate Database for tokens and users

OAuth can have a separate database that can be added from Deploy tab in SOAJS Console → Databases


Follow the Configuration Steps below to create a database for OAuth

The database should have the name "oauth" to be used.


4

5 - Tenant Key Configuration (provision)


Info
titleLocation

In provision - key configuration


Code Block
languagejs
titleIn Provision Config sample
linenumberstrue
collapsetrue
oauth: {
	loginMode: "urac", //oauth login mode,
	roaming: {
		whitelistips: [
			"192.168.0.1",
			"127.0.0.1"
		]
	},
	passportLogin: { // 3rd party integrations using passport
	    "github": {...},
		"facebook": {...},
		"twitter": {...},
		"google": {...},
	},
	azure: {...},
	openam: {...},
	ldapServer: {...}
}               

Follow the Configuration Steps to add and update the key configuration for OAuth


You can change the values of the below variables to customize loginMode and passportLogin


NameTypeDescriptionExample
loginModeStringOauth Login ModeURAC or miniURAC
roamingObjectThe object contains whitelistips which is an array of strings
roaming: {
whitelistips: [
"192.168.0.1",
"127.0.0.1"
]
}

local

ObjectTo control local login behavior, usually you need this when you turn on third party login and you want to control local login behavior. In the example, local login is not available but username "owner" can still use it 
{
available : false,
whitelist: ["owner"]
}
passportLoginObjectIncludes configuration of Facebook, Twitter, Google, and Github in case of 3rd party integrationDetails and examples in Passport LoginStrategies
azureObjectAzure configuration object Details and examples in /wiki/spaces/OAUT/pages/1433927681

openam

Objectopen-source access management configurationDetails and examples in OpenAM login

ldapServer

Objectactive directory login configurationDetails and examples in LDAP




Passport LoginStrategies: Define application keys for passport integration. Currently supporting Github, Twitter, Facebook, and Google. Go to the link for more information and an example of the configuration.

/wiki/spaces/OAUT/pages/1433927681: Azure Active Directory Authentication Libraries allow the integration with Azure AD.

OpenAM login: SSO (Single Sign-On).

LDAP (Lightweight Directory Access Protocol) login: Active directory login.