Provider Registration
The service to support federated OAuth 2.0 providers.
For example, external OAuth 2.0 provider for external clients and internal OAuth 2.0 provider for internal clients.
The Internal AS needs to have the public key certificate from External AS in order to allow all resource server to verify the tokens signed by both servers.
Provider workflow
Provider workflow diagram
Provider workflow steps
Pre-steps, Light-oauth server B and light-oauth server C register as light-oauth security provider on light-Oauth server A. Please follow Provider Registration section for detail of registration.
/oauth2/provider@post
And set the two digits provider Id in the request Json format body, for example:
{"providerId":"05","serverUrl":"http://google.ca/light-4j:8080","uri":"/oauth/key","providerName":"cloud light-4j"
If the provider Id is been registered by other light-oauth server, then the following error will be returned.
"ERR12048": {
"statusCode": 400,
"code": "ERR12048",
"message": "PROVIDER_ID_EXISTS",
"description": "Provider id %s exists; It has been regristed already."
}
Change the provider Id and the registration request again.
If the registration sucuessfully returned, we need add the provider Id to security.yml file of the light-oauth provider service (in our example, Light-oauth server B or light-oauth server C )
# light-oauth server also work as provider for other light-oauth server, following is the provider id
providerId: 05
# JWT signature public certificates. kid and certificate path mappings.
jwt:
certificate:
'100': oauth/primary.crt
'101': oauth/secondary.crt
clockSkewInSeconds: 60
- Client gets token from local light-oauth server (from the diagram, Light-Oauth B). The token header includes certificate Key Id
{
"kid": "05100",
"alg": "RS256"
}
Client tries to access the service which registered on light-oauth A with the access token;
The service will check the light-oauth server (Light-Oauth A) for the token to verify the access. The light-oauth server (Light-Oauth A) will try get the local certificate based on the key Id in the token header
If light-oauth server (Light-Oauth A) can get the certificate directly from local server, verify the token directly. If light-oauth server (Light-Oauth A) cannot get the certificate directly from local server, then light-oauth key service will try to get the certificate from registered provider.
If light-oauth key service will try to get the certificate from registered provider, then verify the token with the certificate. Otherwise, return with access error.
Provider Registration
To add a new provider.
curl -X POST \
https://localhost:6889/oauth2/provider \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{"providerId":"05","serverUrl":"http://google.ca/light-4j:8080","uri":"/oauth/key","providerName":"cloud light-4j"}'
To update a provider with new serverUrl.
curl -X POST \
https://localhost:6889/oauth2/provider \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{"providerId":"05","serverUrl":"http://google.ca/light-4j:8080","uri":"/oauth/key","providerName":"cloud light-4j"}'
To delete a provider by the providerId.
curl -X DELETE \
https://localhost:6889/oauth2/provider/02 \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{"providerId":"05","serverUrl":"http://networknt/light-4j:8080","uri":"/oauth/key","providerName":"cloud light-4j"}'
To query all provider.
curl -X GET \
https://localhost:6889/oauth2/provider \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{"providerId":"02","serverUrl":"http://yahoo.ca/light-4j:8080","uri":"/oauth/key","providerName":"cloud light-4j"}'
Result of the query request:
{
"05": {
"providerId": "05",
"serverUrl": "http://networknt/light-4j:8080",
"uri": "/oauth/key",
"providerName": "cloud light-4j"
},
"02": {
"providerId": "02",
"serverUrl": "http://yahoo.ca/light-4j:8080",
"uri": "/oauth/key",
"providerName": "cloud light-4j"
}
}