Using OAuth2 framework in InterSystems IRIS. Learn how to act as Client, Authentication Server or Resource Server.
Add a line to resolve
webserver to 127.0.0.1
You can find your hosts file in:
The certificate has been generated using:
openssl req -x509 -newkey rsa:4096 -keyout ssl-cert.key -out ssl-cert.pem -nodes -sha256 -days 999 -subj "/CN=webserver"
docker-compose up -d
You will set up some examples using OAuth2 authorization framework and InterSystems IRIS.
In this examples, you will learn how InterSystems IRIS can act as different roles in the OAuth2 framework.
After running containers, you should get access to:
|Container||Mng. Portal URL||Notes|
|webserver||https://webserver/csp/bin/Systems/Module.cxw||HTTPS access to all IRIS instances|
|authserver||https://webserver/authserver/csp/sys/UtilHome.csp||IRIS instance that will act as Authorization Server|
|resserver||https://webserver/resserver/csp/sys/UtilHome.csp||IRIS instance that will act as Resource Server|
|client||https://webserver/client/csp/sys/UtilHome.csp||IRIS instance that will act as Client|
You can login in InterSystems IRIS instances using
A grant type specifies how the authorization server should process the request for authorization. The client specifies the grant type within the initial request to the authorization server.
You can find more information in the documentation.
Scopes are a mechanism in OAuth 2.0 to limit access.
A client can request one or more scopes, this information is displayed to the user in the consent screen. Finally, the access token issued to the application will be limited to the scopes granted.
Authentication is the process of verifying that users are who they say they are.
Authorization is the process of giving those users permission to access resources.
OAuth is an authorization framework. OAuth specifies
access tokens, used when an app has been authorized.
OpenID Connect (OIDC) is extension to OAuth 2.0 to handle authentication. To request authentication, the client includes the
openid scope value in the request to the authorization server.
IDTokens, used when a user has been authenticated.
There are some OIDC specific scopes:
|openid||Returns sub (uniquely identifies the user), iss, aud, exp, iat, and at_hash claims|
|profile||Profile information like including name, family_name, given_name|
You need to create an OAuth server definition in AuthServer. It can be done using the management portal or using
For convenience, you will use an utility that is already prepared with some settings.
Open a terminal session:
docker exec -it authserver bash iris session iris
Create the OAuth server definition with the utility which uses
zn "AUTHSERVER" do ##class(auth.server.Utils).CreateServerConfig()
Have a look at the OAuth Server definition in System Administration > Security > OAuth 2.0 > Server and check:
DisplayLogin- customize login page that will be presented to users when authenticating
DisplayPermissions- customize consent page that will presented to users when consenting scopes
ValidateUser- this is actually how users are authenticated in the system. By default it authenticates based on users created on the InterSystems IRIS instance. However you can write any other behaviour you need.
After defining the server, a new
/oauth2 web application has been created.
The OpenID URL for the server is available at: https://webserver/authserver/oauth2/.well-known/openid-configuration
Now, you will create client definition in the Client instance.
Create a dynamic OAuth server definition. This will be a reference to the authentication server you created in the previous step:
Create an OAuth client definition. This definition describes and registers a client that will use the authorization server:
Finally, you will create the resource server in the ResServer instance:
Create a dynamic OAuth server definition. This also is a reference to the authentication server created before:
Create an OAuth client definiton. This client definition represents the resource server:
Now, we are going to access the protected resources through Postman using the client credentials grant type.
Client credentialsas a supported grant type.
Client Secretvalues. You will these values in Postman.
### Postman client