OAuth configuration guide

Set up authorization server

First you need to run authorization_server application. Next you need to chose one of the following OAuth configurations:

• Basic
• AWS
• Okta
• Salesforce
• Azure

Postman Collection Select OAuth InfoConnect Hub folder for setting up authorization

Built-in OAuth authorization:

Steps need to use Build-in OAuth authorization:

1) Run authorization_server application * Change 'basic' to 'oauth' in 'application.properties' at the path '/opt/info-connect-hub/config/' and uncomment the OAuth properties below. properties auth.type = oauth spring.oauth.resource.server.issue-uri=http://localhost:8081/ spring.oauth.resource.server.authority.admin=ROLE_admin spring.oauth.resource.server.authority.user=ROLE_user spring.oauth.resource.server.authority.claim=role

* Run the command 'sudo service auth-server start.
* To enable OAuth autostart, you need to run the command 'sudo chkconfig auth-server on'.
* Now, you need to restart the Hub with the command 'sudo service info-connect-hub restart'.

2) After running the application, you need to open postman OAuth collection for obtain code_verifier for token and code_challenge for generation authorization code –> built-in oauth folder:

• Choose “BUILT_IN:Get code verifier and code challenge” request.

3) Then open postman OAuth collection –> built-in oauth folder:

• Choose “BUILT_IN: Get oauth code” request.
• Copy code_challenge from application console and paste in the same parameter in request.

• Copy request and paste in your browser.
• Login by user or admin credentials.

• After signing in you will be redirected to the spring page and find in url parameter code which you need to copy.

• Choose “BUILT_IN: Get oauth token” request.
• Paste code which you already coped in previous step in the same parameter in request, also you need to copy code_verifier from application console and paste in the code_verifier request parameter.

• Send request and get access token.

• Using “BUILT_IN: Validate OAuth token” request you could validate the received token.

4) Now you could use access token to get access to different endpoints in info-connect hub

AWS OAuth authorization:

Steps need to use AWS OAuth authorization:

1) For to configure AWS as an OAuth provider, you need to access the AWS Console and select AWS Cognito.

2) Create User Pool

3) After creating the user pool, you need to create a user

4) Once you create a user, they will be displayed on the "Users" tab within your UserPool.

5) Now you need to create the "admin" and "user" groups on the “Groups” tab.

6) Once you create a groups, they will be displayed on the "Groups" tab within your UserPool

7) After that, you need to return to the "Users" tab again and dive into the newly created user and add user to the admin or user group.

8) To complete the request for obtaining a token, follow these steps:

• Copy the Client_ID of the App clients and analytics from the "App Integration" tab at the bottom

  

• Copy the Callback URI that was created during the UserPool setup.

• Also, go to the "App Integration" tab and copy the Cognito domain from there. Append "/login" to the end of the Cognito domain URL.

9) To make everything work, you now need to go to the application where you obtained the Client_ID. Find the "Hosted UI" section and click on "Edit".

10) Find the "OAuth 2.0 grant types" section and select "Implicit grant" from the dropdown menu

11) Now that we have added all the necessary information to the request, click on "Get new access token". Authenticate yourself by entering the login (email) and password of the user that we created. The token has been obtained.

12) To view the information contained in the token's payload, go to https://jwt.io/. There, you can paste the token and retrieve the information it contains.

13) After obtaining the information from the token's payload you need to configure application.properties of info-connect-hub application:

```properties    
auth.type = oauth
spring.oauth.resource.server.issue-uri = {iss}
spring.oauth.resource.server.issue-uri_AWS = {iss}
spring.oauth.resource.server.authority.claim_AWS = {name} // name of the attribute that contains the information about the user's group or role
spring.oauth.resource.server.authority.claim = {name} // name of the attribute that contains the information about the user's group or role
spring.oauth.resource.server.authority.admin = {ROLE_admin} // Should correspond to the names of your groups in AWS
spring.oauth.resource.server.authority.user = {ROLE_user} // Should correspond to the names of your groups in AWS
```

14) To validate the token, you need to use the "AWS: Validate OAuth Token" request. In this request, you should pass the token as a parameter, and also add issUrl from token as a parameter.

Okta OAuth authorization

Steps need to use Okta OAuth authorization:

1) You need to go to "Applications" and select the "Applications" option from the menu.

2) Click Create App Integration. 3) Choose OIDC OpenID Connect and Web Application

4) Create application

5) Now you need to go to Sign On tab and find OpenID Connect ID token. Then Edit -> Issuer -> Select Okta URL -> Save.

6) Now you need to go to the "Directory" tab and select "Groups" from there.

7) Click Add group and set up new group for admin and user.

8) Now we need to add the user to a specific group.

• Go to a group in which you need to assign someone

  

• Click assign people and then choose user and click plus button

  

• Add a scope, which we'll name "role", where we'll later place the claims containing information about the user's group/role

  

  

• Go to "Scopes" tab and click Add Scope and set up scope

  

• Click Add Scope and set up scope

  

• Go to "Claims" tab and click Add Claim

  

• Set up the requirement:

  • name: name
  • filter: Match regex (admin | user)
  • Include in: scope form previous steps

  

9) Now, all that remains is to update the requests in the "Okta" folder of the Postman collection. Select the "Okta: Get OAuth Code" request, copy the "Sign-in redirect URIs", and paste it into the "redirect_uri". Parameter of the request. Copy the "client_id" and paste it into the "client_id" parameter of the request.

10) Copy the request and paste it into your browser, after which you will be redirected. From the search bar, copy the "code" parameter.

11) Paste the copied code into the "code" parameter of the "OKTA: Get OAuth Token" request. * redirect_uri : The "Sign-in redirect URIs" that was copied in the previous step * client_id : You could find in "General" tab * client_secret : You could find in "General" tab

12) Now you need to decode your token using https://jwt.io/

13) After obtaining the information from the token's payload you need to configure application.properties of info-connect-hub application:

```properties
auth.type = oauth
spring.oauth.resource.server.issue-uri = {iss}
spring.oauth.resource.server.issue-uri_OKTA = {iss}
spring.oauth.resource.server.authority.claim_AWS = {name} // name of the attribute that contains the information about the user's group or role
spring.oauth.resource.server.authority.claim = {name} // name of the attribute that contains the information about the user's group or role
spring.oauth.resource.server.authority.admin = {ROLE_user} // Should correspond to the names of your groups in OKTA
spring.oauth.resource.server.authority.user = {ROLE_user} // Should correspond to the names of your groups in OKTA
```

14) You could use “OKTA: Validate oauth token” with token in body parameter for validate token

Salesforce OAuth authorization

Steps need to use Salesforce OAuth authorization:

1) After logging into Salesforce, you need to click on the gear icon next to your profile (called Setup).

2) After that, go to the App tab under the Platform Tools category, and select App Manager

3) Click on "New Connected App."

4) Now you need to configure the Connected app, for example, as shown here: * Enable OAuth Settings: true * Selected OAuth Scopes: Access unique user identifiers (openid) * Include custom attributes * Include custom permissions

5) Now scroll down the page of the newly created Connected App and create a new Custom Attribute.

6) Create an attribute that will be based on the user's role (We will create it in the next step).

7) To create a user role, you need to navigate to the Administration directory and select Users -> Roles -> Add Role.

8) To add a role to a specific user:

• Click on the role to which you want to assign the user.

• Then click on "Assign Users to Role"

• In the dropdown menu labeled "Available Users Search," select "All Users."

• And select the user to whom you want to assign the role.

9) Go back to the created application and select "Manage Consumer Details" to obtain the client_id and client_secret.

10) Copy the client_id and client_secret and paste them into the respective fields in the SALESFORCE: Get OAuth Token step in the OAuth collection posts. Also, add the callback URL that you created during the configuration of the Connected App.

11) After generating the token, you will receive an Access token and an ID token. We will need the ID token for further work, as the Access token is not in JWT format. To decode the token, you can use https://jwt.io/.

12) After obtaining the information from the token's payload you need to configure application.properties of info-connect-hub application:

```properties
auth.type = oauth
spring.oauth.resource.server.issue-uri = {iss}
spring.oauth.resource.server.issue-uri_SALESFORCE = {iss}
spring.oauth.resource.server.authority.claim_SALESFORCE = {name} // name of the parameter from which you want to retrieve the role/group information
spring.oauth.resource.server.authority.claim = {name} // name of the parameter from which you want to retrieve the role/group information
spring.oauth.resource.server.authority.admin = {ROLE_user} // Should correspond to the names of your groups in SALESFORCE
spring.oauth.resource.server.authority.user = {ROLE_user} // Should correspond to the names of your groups in SALESFORCE
```

13) To validate the token, you need to use the SALESFORCE: Validate OAuth Token request, to which you should pass your token, client_id, and client_secret as parameters.

Azure AD OAuth authorization

Steps need to use Azure OAuth authorization:

1) First, you need to log in to Azure Active Directory. 2) In the Manage category, select "App registrations" -> "New registration".

3) You could use configuration: * Supported account type: Account in any organizational directory (Any Azure AD directory - Multitenant)

4) Then set the Application ID URI:

• Click "Add" button next to "Application ID URI", and in the pop-up window, click "Save"

5) Now you need to switch to the "App roles" tab in the "Manage" directory

6) Click on "Create app role"

7) Then create role (you need to create roles for admin and user):

• Name: admin/user
• Allowed member type: Applications
• Value: admin/user
• Do you want to enable this app role?: true

8) Now we need to create a client for this application. Go to “App registrations” tab.

9) Create new application (for 2 roles you need to create 2 client applications for admin and user role):

• Name: name
• Supported account type: Account in any organizational directory (Any Azure AD directory - Multitenant)

10) Now we need to add API permissions. Go to “Api permissions” tab -> "Add permission".

11) Choose My APIs and select your application created in the previous step (8). After that, you need to grant admin consent for or contact your organization's administrator for assistance.

12) Now you need to configure the client_id and client_secret. To do this:

* Go to the "Certificates and secrets" tab -> "New client secret".

* Now you need to copy client_secret from Value field and paste in client_secret parameter in “AZUREAD: Get oauth token” request.

* Also copy Application ID and paste in client_id parameter in request.

* Now go to All apps by click on <your_organization>

* Choose app created first. In my case AzureADOauthExample and copy Application ID URI. Before paste in request parameter add /.default to this URI, for example:  api://46cff864-a1fe-4566-b096-834dfa2ecfee/.default

13) Go to All applications, choose your client application -> "Endpoints"

14) Copy OAuth 2.0 token endpoint (v2) request and paste in AZUREAD: Get oauth token request field. Replace "organizations" with the value of the Directory ID.

15) Now you have obtained an Access token that can be decoded using https://jwt.io/.

16) After obtaining the information from the token's payload you need to configure application.properties of info-connect-hub application:

```properties
auth.type = oauth
spring.oauth.resource.server.issue-uri = {iss}
spring.oauth.resource.server.issue-uri_AZURE = {iss}
spring.oauth.resource.server.authority.claim_AZURE = "roles" // name of the parameter from which you want to retrieve the role/group information
spring.oauth.resource.server.authority.claim = "roles" // name of the parameter from which you want to retrieve the role/group information
spring.oauth.resource.server.authority.admin = {ROLE_user} // Should correspond to the names of your groups in AZURE
spring.oauth.resource.server.authority.user = {ROLE_user} // Should correspond to the names of your groups in AZURE
```

17) Azure does not currently provide a validation endpoint, but as they mentioned on their forums, they are actively working on it.