[HOWTO] Authorize Access to Protected Resources using OAuth2.0

[HOWTO] Authorize Access to Protected Resources using OAuth2.0

By Centrify Contributor I ‎12-31-2017 11:50 AM

Background

 

  1. OAuth 2.0 is the industry-standard protocol for authorization
  2. Understanding the OAuth2.0 standard can be complex, for the main reason being how many different ways OAuth2.0 can be implemented for varying requirements
  3. In this article we will focus on the Client Credentials Flow
  4. Other OAuth2.0 flows include:
  5. Authorization Code Flow
  6. Implicit Flow
  7. Resource Owner Flow
  8. When in doubt, reference the OAuth2.0 spec -> here

 

Centrify Configuration

 

  1. Log in to the Centrify Application Services Portal as an Administrator
  2. Switch to Admin Portal
  3. Click on "Apps"
  4. Click on "Add Web Apps"

Screenshot 2017-12-31 11.13.30.png

 

5. Click the "Custom" tab

6. Add OAuth2 Client Application

 

Screenshot 2017-12-31 11.16.30.png

 

7. Select "Yes" when asked "Do you want to add this application?"

 

Screenshot 2017-12-31 11.18.46.png

 

8. Close "Add Web Apps" Pop-Up

 

Screenshot 2017-12-31 11.21.47.png

 

  9. Begin Application Configuration

10. Within "Description" section, define a unique Application ID

 

Screenshot 2017-12-31 11.24.05.png

 

11. Navigate to "General Usage" 

12. Define General Usage as both "Confidential" & "Must be OAuth Client"

13. Skip the link to create a Service User, we'll come back to that later

 

Screenshot 2017-12-31 11.28.14.png

 

14. Navigate to "Tokens"

15. Define "Token Type" as "JwtRS256" (256 encrypted "JSON Web Token)

16. Define "Auth Methods" as "Client Creds"

17. Select a desired token lifetime (how long it's valid for)

 

Screenshot 2017-12-31 11.32.26.png

 

18. Navigate to "Scopes"

19. Define "Scopes" for what is protected and requires an auth/bearer token

 

20. In this example we are protecting the tenant APIs exposed by the issuer:             (https://aaq0180.my.centrify.com)

 

21. Select "Add" under "Scope definitions"

 

Screenshot 2017-12-31 12.33.52.png

 

22. Give your scope definitions a Name, Description & Regular Expression Filter

 

23. "RedRock/query" is the standard API syntax for Applications to query specified Centrify Platform 

(Learn more about using queries -> here)

 

24. Click "Save"

 

25. Our defined scope now restricts access for running report queries programmaticly

 

Screenshot 2017-12-31 12.37.16.png

 

26. Navigate to "User Access"

27. For this example, we're going to restrict query access to only Service Accounts/Users

28. Click "Save" your OAuth2 Client Application Configuration is complete for now

 

Screenshot 2017-12-31 12.47.30.png

 

29. Now we need to create a Service User that will act as our Confidential Client

30. Navigate under "Core Services">"Users">"Add User"

 

Screenshot 2017-12-31 12.50.28.png

 

31. Create the user by supplying Login Name, Display Name, Password Type,

32. Ensure that user status is defined as both a Service User & OAuth Confidential Client

33. Select "Create User"

 

Screenshot 2017-12-31 12.54.01.png

 

34. If you haven't already done so, create a Service_Users Role

35. Now make sure our newly created service user is included under "Members" of our Service_Users Role

 

Screenshot 2017-12-31 12.58.05.png

 

Screenshot 2017-12-31 13.02.40.png

 

36. Under "Administrative Rights" make sure the role includes "Read Only System Administration"

 

Screenshot 2017-12-31 13.04.12.png

 

37. Under "Assigned Applications" make sure our newly created OAuth2 Client App is added

38. Click "Save" to complete Role configuration

 

Screenshot 2017-12-31 13.06.14.png

 

39. Now we can create a "Bearer Token" to be used to invoke our protected APIs

40. Navigate back to "Apps" and select our newly created OAuth2 Client Application

41. Under the "Actions" dropdown menu, select "Create Bearer Token"

 

Screenshot 2017-12-31 13.10.18.png

 

42. Here, you will have to supply the client_id & secret that you established as part of your Service User/Confidential Client

43. Select "Get Token"

 

Screenshot 2017-12-31 13.12.55.png

 

44. If the ClientID & Secret are validated as correct, a bearer token will be generated and displayed

45. Select "Copy" to capture/copy token to be used later for authorization

 

Screenshot 2017-12-31 13.14.31.png

 

46. Now that we have our Token, we can do a quick recap and put it to the test!

47. Reference below Video on how to use this token and how to validate our setup is correct

 

48. [Updated March 2018] An alternative and more efficient way of obtaining an authorization token is to retrieve the oauth2 token programatically instead of manually through the User Interface. While several grant_types per the OAuth2.0 spec can achieve this, in our example we will use the grant_type of client_credentials. As per the spec we need to supply the grant_type, client_id & client_secret in the HTTP Post Header. In our example we will use Postman to invoke the oauth2 token endpoint, which requires the request parameters to be passed in the request body. Using a confidential client defined in step 33 we can obtain a token. In this example we will use a separate confidential client or "service user" api_user@eddie_welch_01 but you'll notice they are both attached to the same role, assoicaed with the my_oauth_client AppID. The URL Token Endpoint is as follows:

 

https://tenant/oauth2/token/appid

 

In our example we will use:

 

https://aaq0180.my.centrify.com/oauth2/token/my_oauth_client

 

The AppID can be found in the admin console here:

 

 Screenshot 2018-03-30 11.13.40.png

 

Here is our Postman Request Headers:

 

 

Screenshot 2018-03-30 11.17.21.png

 

Here is our Postman Request Body which includes our 3 required parameters:

 

Screenshot 2018-03-30 11.20.19.png

 

Here is our Postman Response, which includes our Oauth Access Token:

 

Screenshot 2018-03-30 11.25.24.png

 

 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel