# OAuth 2.0

## OAuth 2.0

### 1. Add your OAuth Server

The main feature of the API Gateway is to proxy the requests to a different service, so let's do this. Now that you are authenticated, you can send a request to `/oauth/servers` to create a proxy.

http -v POST localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json" < examples/front-proxy-auth/auth/auth.json

curl -X "POST" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json" -d @examples/front-proxy-auth/auth/auth.json

### 2. Verify that your API has been added

You can use the REST API to query all available APIs and Auth Providers. Simply make a request to `/oauth/servers`.

http -v GET localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json"

curl -X "GET" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json"

### 3. Forward your requests through Janus

Issue the following cURL request to verify that Janus is properly forwarding requests to your OAuth Server.

This request is an example of a simple `client_credentials` flow of [OAuth 2.0](https://motivlabs.gitbook.io/janus/auth/oauth), you can try any flow that you like.

http -v GET <http://localhost:8080/auth/token?grant_type=client_credentials> "Authorization: Basic YourBasicToken"

curl -X "GET" <http://localhost:8080/auth/token?grant_type=client_credentials> -H "Authorization: Basic YourBasicToken" -H "Content-Type: application/json"

## Reference

| Configuration                   | Description                                                                                                                                                                |
| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name                            | The unique name of your OAuth Server                                                                                                                                       |
| oauth\_endpoints.authorize      | Defines the [proxy configuration](https://github.com/motiv-labs/janus/tree/2470815283dbbce92900fce0c175b6fb9fc0574f/docs/config/proxy.md) for the `authorize` endpoint     |
| oauth\_endpoints.token          | Defines the [proxy configuration](https://github.com/motiv-labs/janus/tree/2470815283dbbce92900fce0c175b6fb9fc0574f/docs/config/proxy.md) for the `token` endpoint         |
| oauth\_endpoints.introspection  | Defines the [proxy configuration](https://github.com/motiv-labs/janus/tree/2470815283dbbce92900fce0c175b6fb9fc0574f/docs/config/proxy.md) for the `introspection` endpoint |
| oauth\_endpoints.revoke         | Defines the [proxy configuration](https://github.com/motiv-labs/janus/tree/2470815283dbbce92900fce0c175b6fb9fc0574f/docs/config/proxy.md) for the `revoke` endpoint        |
| oauth\_client\_endpoints.create | Defines the [proxy configuration](https://github.com/motiv-labs/janus/tree/2470815283dbbce92900fce0c175b6fb9fc0574f/docs/config/proxy.md) for the `create` client endpoint |
| oauth\_client\_endpoints.remove | Defines the [proxy configuration](https://github.com/motiv-labs/janus/tree/2470815283dbbce92900fce0c175b6fb9fc0574f/docs/config/proxy.md) for the `remove` client endpoint |
| allowed\_access\_types          | The allowed access types for this oauth server                                                                                                                             |
| allowed\_authorize\_types       | The allowed authorize types for this oauth server                                                                                                                          |
| auth\_login\_redirect           | The auth login redirect URL                                                                                                                                                |
| secrets                         | A map of client\_id: client\_secret that allows you to authenticate only with the client\_id                                                                               |
| token\_strategy.name            | The token strategy for this server. Could be `introspection` or `jwt`                                                                                                      |
| token\_strategy.settings        | Token strategy settings, see bellow by strategy                                                                                                                            |
| token\_strategy.leeway          | Token date fields validation leeway to solve clock skew problem                                                                                                            |

### Token Strategy Settings

#### `jwt`

JWT token validation strategy performs token validation against signature and expiration date. Currently the following signature methods are supported:

* `HS256` - HMAC with SHA256 hash (symmetric key)
* `HS384` - HMAC with SHA384 hash (symmetric key)
* `HS512` - HMAC with SHA512 hash (symmetric key)
* `RS256` - RSA with SHA256 hash (asymmetric key)
* `RS384` - RSA with SHA384 hash (asymmetric key)
* `RS512` - RSA with SHA512 hash (asymmetric key)

Settings structure has the following format:

```javascript
[
    {"alg": "<alg1>", "key": "<key1>"},
    {"alg": "<alg2>", "key": "<key2>"},
    ...
]
```

List of signing methods allows signing method and keys rotation w/out immediate invalidation of the old one, so the tokens signed with old and new methods will be valid.

For backward compatibility the following settings format is also valid: `{"secret": "<key>"}` that is equal to the new format `[{"alg": "HS256", "key", "<key>"}]`.