Table of Contents

Authorization Server Installation

Introduction

The first step to install MibAuthorizationServer is to prepare the database that will be used by the server. This can be easily done through the MibMigrator tool currently available inside the MibDlls folder.

Then one just need to extract the MibAuthorization package into IIS “www” folder, convert its folder to an app through IIS manager and add various config files and options.

The following sessions will explain this procedure in depth.

Prerequisites

  1. IIS installed with MVC .NET support
  2. MibPackages and MibDlls downloaded
  3. Knowledge about MibConfigs
  4. Database available to bootstrap

Migration: Generating Database

Every migration can be run through a neat utility provided by MIB, the MibMigrator which is available in the MibDlls package. All possible migrations are also provided in the same package to ease its use.

Three different configuration files are required:

  1. MibLogConfig
  2. MibDatabaseConfig
  3. MibConfigurableObjectConfig

Where the third one can just be a dummy configuration file as no mapping is required. Configuration files samples can be seen in the appendix.

It is necessary to bootstrap every database used by MIB projects by running at least the MibClient2 migration before the main migration. Here is a sample CLI command with parameters to do just that (change paths for your environment):

> C:\MibDlls\MibMigrator\Migrator\mibmigrator.exe -assembly="C:\MibDlls\MibMigrator\MibClient2Migrations\MibClient2.MibDatabaseMigrations.dll" -configPath="C:\TestData\auth_migration\config"

After this migration, MibAuthorizationServer migration must be run with the same configuration files, and a sample command can be seen here:

> C:\MibDlls\MibMigrator\Migrator\mibmigrator.exe -assembly="C:\MibDlls\MibMigrator\MibAuthorizationServerMigrations\MibAuthorizationServer.MibDatabaseMigrations.dll" -⁠configPath="C:\TestData\auth_migration\config"

Installing and enabling MibAuthorizationServer

After Migration:

  1. If not downloaded, download MibPackages as we need the package file MibAuthorizationServer.zip
  2. Extract it to “C:\inetpub\wwwroot%NAME%”, where %NAME can be any chosen name, such as MibAuth. In the remainder of this documentation %NAME% will be assumed as MibAuth.
  3. Open “IIS Manager”, search for the folder in which the package was extracted, right click it and the chose “Convert to app”.

Before effectively being able to use the server, it must be configured by creating a “config” folder inside “C:\inetpub\wwwroot\MibAuth”, in which the configuration files and the dictionary folder will reside. Samples in the appendix.

Minimally required configuration files:

  1. MibLogConfig
  2. MibAuthorizationServerConfig
  3. MibDatabaseConfig
  4. MibCryptoConfig

Additional recommended configuration files:

  1. MibTranslationConfig

It is important to correctly set the “clientSecret” field in MibAuthorizationServerConfig, which can be found by running the following command in the database:

SELECT OAUTH_CLIENT_SECRET FROM API_CLIENTS WHERE NAME = 'AuthPortal'

After adding the configuration files MibAuthorizationServer should be accessible through the set URL and the default user (“administrator”) should be enabled.

Appendix: Sample configuration files

Most important fields are marked in bold.

MibConfigurableObjectConfig.mibconfig

<?xml version="1.0" encoding="utf-8" ?>
<mibConfig>
</mibConfig>

MibAuthorizationServerConfig.mibconfig

<?xml version="1.0" encoding="utf-8" ?>
<mibConfig>
  <default>
    <rootUrl>https://server/authPath</rootUrl>
    <tokenEndpoint>/oauth/token</tokenEndpoint>
    <authorizeEndpoint>/oauth/authorize</authorizeEndpoint>
    <loginEndpoint>/authPath/login</loginEndpoint>
    <logoutEndpoint>/authPath/logout</logoutEndpoint>
    <useNewLoginUi>true</useNewLoginUi>
    <frontendAppRootUrl>https://frontend.authserver/</frontendAppRootUrl>
    <allowInsecureHttp>false</allowInsecureHttp>
    <authorizationCodeSeconds>30</authorizationCodeSeconds>
    <accessTokenMinutes>60</accessTokenMinutes>
    <refreshTokenHours>24</refreshTokenHours>
    <clientId>AuthPortal</clientId>
    <clientSecret>clientSecretFromDatabase</clientSecret>
    <workflowAssembly>MibAuthorizationServer.Workflow.MibServer</workflowAssembly>
    <workflowFactory>MibAuthorizationServer.Workflow.MibServer.MibDomainFactory</workflowFactory>
    <cookieName>mib_auth_server</cookieName>
    <mibjscompressionmode></mibjscompressionmode>
    <mibcsscompressionmode></mibcsscompressionmode>
    <mibJsCompressionDisableModifyDate></mibJsCompressionDisableModifyDate>
    <mibCssCompressionDisableModifyDate></mibCssCompressionDisableModifyDate>
    <language>en-us</language>
   </default>
</mibConfig>

MibCryptoConfig.mibconfig

<?xml version="1.0" encoding="utf-8" ?>
<mibConfig>
  <default>
    <AESKey>setAesKey</AESKey>
    <DESKey>setDesKey</DESKey>
  </default>
</mibConfig>

MibDatabaseConfig.mibconfig

<?xml version="1.0" encoding="utf-8" ?>
<mibConfig>
  <default>
    <type>serverType</type>
    <server>serverAddress</server>
    <database>databaseName</database>
    <username>databaseUsername</username>
    <password>databasePassword</password>
  </default>
</mibConfig>

MibTranslationConfig.mibconfig

<?xml version="1.0" encoding="utf-8" ?>
<mibConfig>
  <default>
    <debugInvalidKeys>true</debugInvalidKeys>
    <debugAllKeys>false</debugAllKeys>
  </default>
  <en-us>
    <description>English</description>
    <dictionary>Dictionary\en-US.mibconfig</dictionary>
    <imageUrl></imageUrl>
  </en-us>
  <pt-br>
    <dictionary>Dictionary\pt-BR.mibconfig</dictionary>
    <imageUrl></imageUrl>
  </pt-br>
</mibConfig>

MibLogConfig.mibconfig

<?xml version="1.0" encoding="utf-8" ?>
<mibConfig>
  <default>
    <mibTrace>true</mibTrace>
    <fileLogTag>MibLog</fileLogTag>
    <fileLogPath>logFilePath</fileLogPath>
    <eventViewerLog>Application</eventViewerLog>
    <eventViewerSource>applicationName</eventViewerSource>
    <databaseAlias>default</databaseAlias>
    <databaseTable>MibLogs</databaseTable>
    <databaseField>Message</databaseField>
  </default>
  <verbose>
    <mibTrace>true</mibTrace>
    <trace>true</trace>
    <file>true</file>
    <database>false</database>
    <eventViewer>false</eventViewer>
    <custom>false</custom>
  </verbose>
  <log>
    <mibTrace>true</mibTrace>
    <trace>true</trace>
    <file>true</file>
    <database>false</database>
    <eventViewer>false</eventViewer>
    <custom>false</custom>
  </log>
  <errorLog>
    <mibTrace>true</mibTrace>
    <trace>true</trace>
    <file>true</file>
    <database>false</database>
    <eventViewer>false</eventViewer>
    <custom>false</custom>
  </errorLog>
  <exception>
    <mibTrace>true</mibTrace>
    <trace>true</trace>
    <file>true</file>
    <database>false</database>
    <eventViewer>false</eventViewer>
    <custom>false</custom>
  </exception>
</mibConfig>

Migrating to the New Login UI

As of Mib version 6.0.87, the new Login UI for Mib Authorization Server is available. To ensure proper integration and a smooth migration, follow the steps and recommendations below. The old UI will be permanently disabled in MIB 7.0.

Service Configuration for the New Login UI

Update your MibAuthorizationServerConfig and environment variables as needed:

UseNewLoginUi

  • Purpose: Enables the new Login UI (set to false to use the old UI)
  • Default: false
  • Required: No

Example (disable new UI):

MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_USENEWLOGINUI=false

FrontendAppRootUrl

  • Purpose: Specifies the URL where the SPA (Single Page Application) for the Auth UI is served
  • Default: (empty)
  • Required: Yes
Note

The Auth UI app is served by default under the base path /auth. Set this value accordingly.

Example:

MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_FRONTENDAPPROOTURL=http://localhost:8040/auth/

CorsAllowCredentials

  • Purpose: Allows credentials in cross-origin HTTP requests
  • Default: false
  • Required: No
Note

Only enable this if your backend and frontend are served from different origins. This is generally not recommended for production.

Example:

MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_CORSALLOWCREDENTIALS=true

CorsOrigins

  • Purpose: Specifies allowed origins for CORS
  • Default: (empty)
  • Required: No
Note

Only set this if your backend and frontend are on different origins. Not recommended for production.

Example (allowing CORS from both Auth and CMS apps):

MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_CORSORIGINS=http://frontend.authserver.com,http://frontend.cms.com.br

Docker Compose Example for Auth UI

To run the new Auth UI using Docker Compose, use the following example. Make sure to authenticate to the private registry using your GitHub token (the same used for the CMS React app image).

version: '3.8'
services:
  authreact:
    container_name: react_auth
    image: ghcr.io/agilecontent/mib-auth-frontend:latest
    restart: unless-stopped
    environment:
      - AUTH_URL=http://localhost:8601/
      - BASE_PATH=/auth
    ports:
      - 8081:8081
    networks:
      - default
networks:
  default:
    driver: bridge

Releases: https://github.com/agilecontent/MibFrontEnd/pkgs/container/mib-auth-frontend

Variables

The following environment variables are used to configure the Auth UI container:

  • AUTH_URL: The base URL where the Mib Authorization Server API is accessible. This should point to your deployed authorization server instance.
  • BASE_PATH: The base path under which the Auth UI is served. By default, this is /auth.

Example:

AUTH_URL="https://samples.mediaibox.com.br/MibAuth/"
BASE_PATH="/auth/"

Switching Back to the Old UI

You can temporarily revert to the old UI during your migration process. Note: This flag will be removed in future versions.

MIBAUTHORIZATIONSERVERCONFIG_DEFAULT_USENEWLOGINUI=false

UI Customization

You can customize the colors and logo of the Auth UI using configuration keys in the Mib Authorization Server. For details, see the Auth UI - Theme configuration.

Recommendations for Production Environment

  1. Serve both MibAuthorizationServer and the React Auth UI from the same origin (identical scheme, domain, and port) to avoid CORS issues and maximize security. If this is not possible, then make sure to be strict when configuring the allowed CorsOrigins and enable CorsAllowCredentials.
  2. Always use HTTPS for all communications between the Auth UI and the Authorization Server to protect sensitive data.
  3. Regularly monitor and update both the Auth UI and backend to ensure you receive the latest security patches and feature improvements.

Recommendations for Development Environment

  1. You may serve the Auth UI and Authorization Server from different origins for development convenience.
  2. Enable CorsAllowCredentials and configure CorsOrigins as needed to support cross-origin requests during development.
  3. Use self-signed certificates or HTTP for local testing, but always validate your setup with HTTPS before moving to production.
  4. Document any non-default configurations clearly for your team.
Edit this page