Configuring an application client for MibAuthorizationServer

The MibAuthorizationServer application's main responsibiliy is to serve as a general purpose authentication tool for other apps. In order to do so, it implements the OAuth2.0 protocol through the IdentityServer library, which allows it to authenticate and authorize other Mib applications.

The main grant types implemented by the OAuth authentication service of the MibAuthorizationServer application are Authorization Code, which has higher security and is used in applications such as the MibServer3, and Resource Owner Password Credentials, which is used on APIs such as the MibServerApi, the File Management Microservice and the Authorization Server itself. For both cases, the configuration of a client consists of two parts: creating an entry in the database and setting up environment variables.

Resource Owner Password

Resource Owner Password grants are used in two scenarios: to authenticate an external API Client (such as MibServerApi), or to authenticate the MibAuthorizationServer itself.

In order to register an API client with this grant type, it is necessary to add an entry to the API_CLIENTS database, present in the default migrations for the AuthorizationServer application. The most important columns are:

• OAUTH_CLIENT_ID -> identifies the API client
• OAUTH_CLIENT_SECRET -> serves as a confidential password to verify the client
• OAUTH_CLIENT_TYPE -> defines the grant type to be used. For the Resource Owner Password grant type, it must be set to 3

After creating the entry in the database, all that is left is to insert the appropriate environment variables for the client application. In this step, there are two possible scenarios for configuration: for MibAuthorizationServer or for other API client applications (such as MibServerApi or MibFileManagementMicroService)

MibAuthorizationServer

The necessary environment variables are the client Id and client Secret, used to authenticate the AuthorizationServer for using the administration pages. They must be the same as the ones configured on the database:

"MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_CLIENTID": "authclientid"
"MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_CLIENTSECRET": "authclientsecret"

Other client APIs

For other APIs, it is necessary to provide the client Id (with the same value of the entry configured in the database), as well as a configuration indicating the base address of the MibAuthorizationServer instance that will be requested for the authentication. The variables are:

"MIBAUTHORIZATIONCLIENTCONFIG_DEFAULT_SERVERURL": "https://www.mibauthorizationserver.com"
"MIBAUTHORIZATIONCLIENTCONFIG_DEFAULT_CLIENTID": "apiClientId"

Authorization code grant

The MibServer3 application implements authentication through the authorization code grant type, which provides greater security by connecting the user directly with the MibAuthorizationServer, allowing for user authentication without exposing the user credentials to the MibServer3 application.

sequenceDiagram
    title Authorization Code Flow
    User->>MibServer3: Request authorization
    MibServer3-->>+MibAuthorizationServer: oauth/authorize <br/>Client Id, Client Secret, Redirect URI
    MibAuthorizationServer-->>User: Request consent for new client
    User-->>MibAuthorizationServer: Consent granted    
    MibAuthorizationServer-->>-MibServer3: Authorization Code    
    MibServer3->>+MibAuthorizationServer: oauth/token <br/>Authorization Code, Redirect URI
    MibAuthorizationServer-->>-MibServer3: Access token, Refresh token

Configuring a MibServer3 instance through the authorization code is similar to the process for other APIs, consisting of creating an entry to the API_CLIENT table in the MibAuthorizationServer database and adding environment variables to the project's configuration. However, due to the additional security demands of the authorization code grant, there are more parameters needed.

The most important columns are:

• OAUTH_CLIENT_ID
• OAUTH_CLIENT_SECRET
• OAUTH_CLIENT_TYPE -> for the Authorization Code grant, must be set to 1
• REDIRECT_URI -> defines the address to which the MibAuthorizationServer will redirect the client after authentication. Must be set to the oauth/callback route of the MibServer3 application (for instance, https://www.mibserver3.com/oauth/callback)

The environment variables are also similar to those used for Resource Owner Password authentication:

"MIBAUTHORIZATIONCLIENTCONFIG_DEFAULT_SERVERURL": "http://www.mibauthorizationserver.com",
"MIBAUTHORIZATIONCLIENTCONFIG_DEFAULT_CLIENTID": "mibserver3clientid",
"MIBAUTHORIZATIONCLIENTCONFIG_DEFAULT_CLIENTSECRET": "mibserver3clientsecret",