Skip to main content

Setting up an OAuth 2.0 Authorization Server

This chapter explains how to set up an OAuth 2.0 Authorization Server. There is no dedicated pattern for this case, but you can use standard nevisAuth patterns. Here, we use the following patterns:

  • Generic Authentication Step: This pattern configures an AuthorizationServer AuthState. Check the nevisAuth documentation for further information.
  • Standalone Authentication Flow: This pattern exposes the Generic Authentication Step pattern on a nevisProxy virtual host.

Preconditions

  • nevisMeta is set up. For more information, see the chapter Setting up a nevisMeta Instance.
  • The nevisAuth host is able to reach the nevisMeta API.
  • OAuth 2.0 setup is defined.
    • The OAuth 2.0 setup is defined with the nevisMeta Web Console pattern.
    • The ID of the setup is available, to configure the AuthorizationServer AuthState.
  • An Authentication Realm pattern is available, to host the Authorization Server.
    • As part of the Authentication Realm pattern's settings, an initial authentication flow is specified in the Initial Authentication Flow field/property. The initial authentication flow is invoked when the user is not yet authenticated. The initial authentication flow is also used later on, when you configure the Generic Authentication Step pattern.

Quick Start

This quick start shows how to set up an OAuth 2.0 Authorization Server. This quick start is kept as simple as possible for illustration purposes.

Be aware of the following potential issues:

  • The user will not be asked for confirmation if no ConsentState AuthState is configured.
    • Check the nevisAuth technical documentation for details.
  • You may have to configure key management, because:
    • The AuthorizationServer AuthState uses signer key material.
    • nevisAuth must be able to call nevisMeta. For this, set the Nevis SecToken Trust property of the nevisMeta Instance pattern.
  • As input for the AuthState(s): Parameters field in Generic Authentication Step pattern, you may want to use a variable and define the values in the inventory. See the pattern's Help tab for details.

Perform the following steps

  1. Add a Generic Authentication Step pattern. Configure the pattern as follows:
    1. Configure the AuthorizationServer AuthState in the AuthState(s): direct input field. Use the configuration from the code block below.
    2. Use the AuthState(s): Parameters field to externalize an environment-specific configuration, such as:
      • the host name of nevisMeta, or
      • the ID of the OAuth 2.0 setup in nevisMeta.
    3. The Additional Follow-up Steps field defines the first step of the initial authentication flow. This step is executed if the user is not authenticated yet.
      • Use the same authentication flow as the one in the Initial Authentication Flow field of the relevant Authentication Realm pattern. You have configured this pattern as a precondition, see the section Preconditions above.
  2. Add a Standalone Authentication Flow pattern. Configure the pattern as follows:
    1. Assign a nevisProxy virtual host to the Virtual Host field.
    2. Enter a frontend path in the Frontend Path field.
    3. Assign the previously configured authentication realm to the Authentication Realm field (see also the section Preconditions).
    4. Assign the Generic Authentication Step pattern that you created in step 1 to the Authentication Flow field.
AuthState(s): direct input
<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.oauth2.AuthorizationServer" final="false">
 <ResultCond name="authenticate:valid-authorization-request" next="${state.exit.1}"/> <!-- execute the first assigned Additional Follow-Up Step -->
 <ResultCond name="invalid-authorization-request" next="${state.failed}"/>
 <ResultCond name="invalid-client" next="${state.failed}"/>
 <ResultCond name="invalid-redirect-uri" next="${state.failed}"/>
 <ResultCond name="invalid-token-request" next="${state.failed}"/>
 <ResultCond name="server-error" next="${state.failed}"/>
 <ResultCond name="stepup:valid-authorization-request" next="${state.done}"/>
 <property name="keyobjectref" value="DefaultSigner"/>
 <property name="keystoreref" value="DefaultKeyStore"/>
 <property name="dataSource" value="nevismeta"/>
 <property name="nevismeta.location" value="https://${param.meta}:8996/nevismeta/rest/modules/oauthv2/setups/Setup_${param.setup_id}/entities"/>
</AuthState>

The following figure shows the required patterns in an example configuration:

Setting up an OAuth 2.0 Authorization Server - Patterns with entries