How to configure the OAuth2Client to test against Safewhere Identify OAuth2.0 application

Identify Configuration

Create an OAuth2.0 application with below configurations:

  • Add some scopes which will be requested from OAuth2Client (specified in OAuth2Client web.config key="Scope")
  • Client ID: the unique ID across OAuth2.0 application
  • Client secret: the secret code
  • Token endpoint authentication method: choose ClientSecretBasic
  • Allowed Callback URIs: the URIs where Identify redirects to after authorized successfully
  • Application name: Name of application
  • Security token audiences: add the Resource Server URL to the audience list.
  • Allow implicit flow: check this to allow user to authorize using implicit flow
  • Allow code flow: check this to allow user to authorize using code flow
  • JWS Algorithm: algorithm to be used (RSASigning or HMACSymmetric)
  • Token security mode: Currently only "SigningOnly" is supported
  • Token life time (minutes): time in minutes that user can use the token before it is expired.
  • Allow refresh token: check this to allow user to refresh the token. In this case there will be a button in OAuth2Client site to allow user to refresh to token.
  • Refresh token life time (minutes): time in minutes that user can refresh the token, the new token will have new life time as setting above. Once it is expired, user can only use but cannot exchange token anymore.

OAuth2Client configuration

Step 1: Download the sample source here: oauth2package

Step 2: Use IIS to create a sample sites and add two applications which are pointed to the two folders in the OAuth2Client package

  • OAuth2Client -> OAuth2Client folder
  • OAuth2ResourceServer -> OAuth2ResourceServer folder
  • Application Pool should be .NET 4.0

Step 3: Modify the OAuth2Client and OAuth2ResourceServer web.config files according to your Identify server configuration.

Note:

  • OAuth2Client: each scope (key="Scope") is separated by a space, e.g "identify*scim info"
  • OAuth2ResourceServer:
    • Issuer: specify the Identify entityID at the system setup.
    • SigningCertificateThumbprint: fill in the Safewhere Identify Signing Certificate Thumbprint
  • URL is case-sensitive

Here is the configuration sample for the OAuth2ResourceServer web.config

oauth2-resource-server-config

To verify against the code flow, here is configuration sample for the OAuth2Client web.config and the OAuth2.0 application setup:

  • Connection tab

oauth2-client-application-connection-1

oauth2-client-application-connection-2

  • Security tab

oauth2-client-application-security

  • Scope tab

oauth2-client-application-scope

To verify against the implicit flow, here is configuration sample for the OAuth2Client web.config and the OAuth2.0 application setup:

  • Connection tab

oauth2-implicit-application-connection-1

oauth2-implicit-application-connection-2

  • Security tab

oauth2-implicit-application-security

  • Scope tab

oauth2-implicit-application-scope

In this sample, OAuth2Client base URL is https://samples.safewhere.local/OAuth2/

Test the samples

  • Open the OAuth2Client samples using this URL: https://samples.safewhere.local/OAuth2/.
  • Click on "Start authorization handshake" under "Code flow" to test the code flow, or "Start authorization handshake" under "Implicit flow" to test the implicit flow. In this scenario, choose to test the code flow.
  • Select an authentication connection to authenticate with Identify before authorization.
  • Once authentication is successful, Identify will grant authorization to OAuth2Client. Click the "Get token" button to obtain the token for authorizing the Resource Server.
  • If "Allow refresh token" is checked in Identify and you are working with the "Code flow", there will be a "Renew token" button to refresh the token. (Note: This sample application only allows token renewal once.)