Using OAuth2 framework in InterSystems IRIS. Learn how to act as Client, Authentication Server or Resource Server in different scenarios.
Add a line to resolve webserver
to 127.0.0.1
127.0.0.1 webserver
You can find your hosts file in:
O.S. | File |
---|---|
MacOS | /private/etc/hosts |
Windows | c:\Windows\System32\Drivers\etc\hosts |
The certificate has been generated using:
cd webserver
openssl req -x509 -newkey rsa:4096 -keyout ssl-cert.key -out ssl-cert.pem -nodes -sha256 -days 999 -subj "/CN=webserver"
Build images:
docker compose build
Run containers:
docker compose up -d
You will set up some examples using OAuth2 authorization framework and InterSystems IRIS.
In this examples, you will learn how InterSystems IRIS can act as different roles in the OAuth2 framework.
After running containers, you should get access to:
Container | URL | Notes |
---|---|---|
webserver | https://webserver/csp/bin/Systems/Module.cxw | HTTPS access to all IRIS instances |
authserver | https://webserver/authserver/csp/sys/UtilHome.csp | IRIS instance that will act as Authorization Server |
resserver | https://webserver/resserver/csp/sys/UtilHome.csp | IRIS instance that will act as Resource Server |
client | https://webserver/client/csp/sys/UtilHome.csp | IRIS instance that will act as Client |
angular-client | http://localhost:8080/ | Angular application that will act as Client |
You can login in InterSystems IRIS instances using superuser
/SYS
.
A grant type specifies how the authorization server should process the request for authorization. The client specifies the grant type within the initial request to the authorization server.
You can find more information in the documentation.
Scopes are a mechanism in OAuth 2.0 to limit access.
A client can request one or more scopes, this information is displayed to the user in the consent screen. Finally, the access token issued to the application will be limited to the scopes granted.
Authentication is the process of verifying that users are who they say they are.
Authorization is the process of giving those users permission to access resources.
OAuth is an authorization framework. OAuth specifies access tokens
, used when an app has been authorized.
OpenID Connect (OIDC) is extension to OAuth 2.0 to handle authentication. To request authentication, the client includes the openid
scope value in the request to the authorization server.
OIDC specifies IDTokens
, used when a user has been authenticated.
There are some OIDC specific scopes:
Scope | Description |
---|---|
openid | Returns sub (uniquely identifies the user), iss, aud, exp, iat, and at_hash claims |
profile | Profile information like including name, family_name, given_name |
email claim |
In this scenario, you will secure a REST API (protected resource) that will be accessed from a registered client (Postman).
You will use Client Credentials OAuth grant type.
You need to create an OAuth server definition in AuthServer. It can be done using the management portal or using OAuth2.*
classes.
For convenience, you will use an utility that is already prepared with some settings.
Open a terminal session:
docker exec -it authserver bash
iris session iris
Create the OAuth server definition with the utility which uses OAuth2.*
classes:
zn "AUTHSERVER"
do ##class(auth.server.Utils).CreateServerConfig()
Have a look at the OAuth Server definition in System Administration > Security > OAuth 2.0 > Server and check:
AUTHSERVER
namespace.BeforeAuthenticate
, AfterAuthenticate
DisplayLogin
- customize login page that will be presented to users when authenticatingDisplayPermissions
- customize consent page that will presented to users when consenting scopesValidateUser
- this is actually how users are authenticated in the system. By default it authenticates based on users created on the InterSystems IRIS instance. However you can write any other behaviour you need.After defining the server, a new /oauth2
web application has been created.
The OpenID URL for the server is available at: https://webserver/authserver/oauth2/.well-known/openid-configuration
The REST API will be an OAuth resource server in the ResServer instance.
Create a dynamic OAuth server definition. This also is a reference to the authentication server created before:
https://webserver/authserver/oauth2
ssl
Create an OAuth client definiton. This client definition represents the resource server:
resserver
resserver
Resource Server
ssl
You have now to register the client that will be able to ask for tokens and access the resource server.
Client ID
and Client Secret
values. You will use these values in Postman.In Postman, do the following:
Client ID
and Client Secret
.In case you want to have a look at what is happening in the authorization server while getting the token, you can active log messages:
docker exec -it authserver bash
iris session iris
zn "AUTHSERVER"
set ^%ISCLOG=5
zn "%SYS"
do ##class(%OAuth2.Utils).DisplayLog("/app/authserver-debug.log")
kill ^ISCLOG
In this scenario you will secure a simple web page (in IRIS) that will allow different users to access protected resources.
You will use Authorization Code OAuth grant type.
We will use the same configuration as in the previous scenario.
Have a look at the Authorization Server definition in System Administration > Security > OAuth 2.0 > Server.
We will also use the same resource server configuration as in the previous scenario.
You have to create client definition in the Client instance to register the simple web application that will act as client.
Create a dynamic OAuth server definition:
https://webserver/authserver/oauth2
ssl
Create an OAuth client definition. This definition describes and registers a client that will use the authorization server:
simple-web-page
simple-web-page
Confidential
ssl
yes
webserver
client
superuser
/SYS
or developer
/test
.You should get something like that:
In this scenario, you will secure an Angular application that will handle user authorization and then let them access protected resources.
You will use a Authorization Code + Proof Key Code Exchange (PKCE) OAuth grant type in this case.
We will use the same configuration as in the previous scenario.
Have a look at the Authorization Server definition in System Administration > Security > OAuth 2.0 > Server.
/oauth2
endpoint in InterSystems IRIS has its own CORS settings. You should setup the allowed origins (e.g. the angular client application). In this case it is already setup for you. But you can have a look at it here in Cross-Origin Settings tab.
We will also use the same resource server configuration as in the previous scenario.
/angular-client
directory.To create the client run the following:
docker exec -it authserver bash
iris session iris
zn "AUTHSERVER"
do ##class(auth.server.Utils).CreateAngularAppClient()
developer
/ test
or superuser
/ SYS
You shoul be able to get something like that: