How to configure the OAuth2Client to test against Safewhere*Identify OAuth2 Protocol Connection


Identify Configuration

Create an OAuth2 Protocol connection with below configurations:

  •  Add some scopes which will be requested from OAuth2Client (specified in OAuth2Client web.config key=”Scope”)
  • Client ID: the unique ID across OAuth2 Protocol Connections
  • Client secret: the secret code
  • Redirect url: the url where Identify redirects to after authorized successfully
  • Application name: Name of application
  • Set the audience field of tokens which are issued for the application to: Resource Server URL
  • Allow implicit flow: check this to allow user to authorize using implicit flow
  • Allow code flow: check this to allow user to authorize using code flow
  • Use as OpenId Connect: The connection will issue a JWT token according to the OpenId Connect spec, and the UserInfo endpoint will be accessible to query for user’s claims.
  • JWS Algorithm: algorithm to be used, valid for JWT access tokens only. Future SAML2 tokens don’t need this setting. Currently only “RSASigning” is supported
  • Signing and Encryption: value = {Signing, Encryption, SigningAndEncryption}. Currently only “Signing” is supported
  • Token life time (minutes): time in minutes that user can use the token before it expires.
  • Allow refresh token: check this to allow user to refresh the token. In this case there will be a button in OAuth2Client site to allow user to refresh to token
  • Refresh token life time (minutes): time in minutes that user can refresh the token, the new token will have new life time as setting above. After expired, user can only use token until expires.

OAuth2Client configuration

  1. You can download the sample source here: oauth2package
  2. Using IIS to create a sample sites and add two applications which are pointed to the two folders in the OAuth2Client package
  • OAuth2Client -> OAuth2Client folder
  • OAuth2ResourceServer -> OAuth2ResourceServer folder
  • Application Pool should be .NET 4.0
  1. Modify the OAuth2Client and OAuth2ResourceServer web.config files according to your Identify server configuration.

Note:

  • OAuth2Client: each scope (key=”Scope”) is separated by a space, e.g “identify*scim info”
  • OAuth2ResourceServer:
    •  Issuer:  specify the Identify entityID at the system setup.
    • SigningCertificateThumbprint: fill in the Safewhere Identify Signing Certificate Thumbprint
  • URL is case-sensitive

Here is the configuration sample for the ResourceServer web.config

Screenshot_2

If you want to verify against the code flow, here is configuration sample for the OAuth2Client web.config and the OAuth2.0 connection setup:

Screenshot_4

If you want to verify against the implicit flow, here is configuration sample for the OAuth2Client web.config and the OAuth2.0 connection setup:

Screenshot_5

In this sample, my OAuth2Client base URL is https://samples.safewhere.local/OAuth5/

Test the samples

  1. Open the OAuth2Client samples using URL: https://samples.safewhere.org/OAuth5
  2. Click on “Start authorization handshake ” under “Code flow” if you want to test the code flow or “Start authorization handshake ” under “Implicit flow” if you want to test the implicit flow
  3. Select an authentication connection to authenticate with Identify before authorization, allow consent if requested.
  4. One the authentication is successful, Identify will grant authorization to OAuth2Client, there will be a button “Get token”, click on that to get the token for authorizing to Resource Server
  5. If “Allow refresh token” is checked in Identify and you are working with the “Code flow”, there will be a button “Renew token” to allow user to refresh the token. (Note: This sample application only allows to renew token once)