OAuth 2.0

OAuth 2.0

1. Add your OAuth Server

The main feature of the API Gateway is to proxy the requests to a different service, so let's do this. Now that you are authenticated, you can send a request to /oauth/servers to create a proxy.

http -v POST localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json" < examples/front-proxy-auth/auth/auth.json

curl -X "POST" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json" -d @examples/front-proxy-auth/auth/auth.json

2. Verify that your API has been added

You can use the REST API to query all available APIs and Auth Providers. Simply make a request to /oauth/servers.

http -v GET localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json"

curl -X "GET" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json"

3. Forward your requests through Janus

Issue the following cURL request to verify that Janus is properly forwarding requests to your OAuth Server.

This request is an example of a simple client_credentials flow of OAuth 2.0, you can try any flow that you like.

http -v GET http://localhost:8080/auth/token?grant_type=client_credentials "Authorization: Basic YourBasicToken"

curl -X "GET" http://localhost:8080/auth/token?grant_type=client_credentials -H "Authorization: Basic YourBasicToken" -H "Content-Type: application/json"

Reference

Configuration	Description
name	The unique name of your OAuth Server
oauth_endpoints.authorize	Defines the proxy configuration for the authorize endpoint
oauth_endpoints.token	Defines the proxy configuration for the token endpoint
oauth_endpoints.introspection	Defines the proxy configuration for the introspection endpoint
oauth_endpoints.revoke	Defines the proxy configuration for the revoke endpoint
oauth_client_endpoints.create	Defines the proxy configuration for the create client endpoint
oauth_client_endpoints.remove	Defines the proxy configuration for the remove client endpoint
allowed_access_types	The allowed access types for this oauth server
allowed_authorize_types	The allowed authorize types for this oauth server
auth_login_redirect	The auth login redirect URL
secrets	A map of client_id: client_secret that allows you to authenticate only with the client_id
token_strategy.name	The token strategy for this server. Could be introspection or jwt
token_strategy.settings	Token strategy settings, see bellow by strategy
token_strategy.leeway	Token date fields validation leeway to solve clock skew problem

Token Strategy Settings

jwt

JWT token validation strategy performs token validation against signature and expiration date. Currently the following signature methods are supported:

• HS256 - HMAC with SHA256 hash (symmetric key)

• HS384 - HMAC with SHA384 hash (symmetric key)

• HS512 - HMAC with SHA512 hash (symmetric key)

• RS256 - RSA with SHA256 hash (asymmetric key)

• RS384 - RSA with SHA384 hash (asymmetric key)

• RS512 - RSA with SHA512 hash (asymmetric key)

Settings structure has the following format:

[
    {"alg": "<alg1>", "key": "<key1>"},
    {"alg": "<alg2>", "key": "<key2>"},
    ...
]

List of signing methods allows signing method and keys rotation w/out immediate invalidation of the old one, so the tokens signed with old and new methods will be valid.

For backward compatibility the following settings format is also valid: {"secret": "<key>"} that is equal to the new format [{"alg": "HS256", "key", "<key>"}].