OAuth 2.0
OAuth 2.0
1. Add your OAuth Server
The main feature of the API Gateway is to proxy the requests to a different service, so let's do this. Now that you are authenticated, you can send a request to /oauth/servers to create a proxy.
http -v POST localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json" < examples/front-proxy-auth/auth/auth.json
curl -X "POST" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json" -d @examples/front-proxy-auth/auth/auth.json
2. Verify that your API has been added
You can use the REST API to query all available APIs and Auth Providers. Simply make a request to /oauth/servers.
http -v GET localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json"
curl -X "GET" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json"
3. Forward your requests through Janus
Issue the following cURL request to verify that Janus is properly forwarding requests to your OAuth Server.
This request is an example of a simple client_credentials flow of OAuth 2.0, you can try any flow that you like.
http -v GET http://localhost:8080/auth/token?grant_type=client_credentials "Authorization: Basic YourBasicToken"
curl -X "GET" http://localhost:8080/auth/token?grant_type=client_credentials -H "Authorization: Basic YourBasicToken" -H "Content-Type: application/json"
Reference
Configuration | Description |
name | The unique name of your OAuth Server |
oauth_endpoints.authorize | Defines the proxy configuration for the |
oauth_endpoints.token | Defines the proxy configuration for the |
oauth_endpoints.introspection | Defines the proxy configuration for the |
oauth_endpoints.revoke | Defines the proxy configuration for the |
oauth_client_endpoints.create | Defines the proxy configuration for the |
oauth_client_endpoints.remove | Defines the proxy configuration for the |
allowed_access_types | The allowed access types for this oauth server |
allowed_authorize_types | The allowed authorize types for this oauth server |
auth_login_redirect | The auth login redirect URL |
secrets | A map of client_id: client_secret that allows you to authenticate only with the client_id |
token_strategy.name | The token strategy for this server. Could be |
token_strategy.settings | Token strategy settings, see bellow by strategy |
token_strategy.leeway | Token date fields validation leeway to solve clock skew problem |
Token Strategy Settings
jwt
jwtJWT token validation strategy performs token validation against signature and expiration date. Currently the following signature methods are supported:
HS256- HMAC with SHA256 hash (symmetric key)HS384- HMAC with SHA384 hash (symmetric key)HS512- HMAC with SHA512 hash (symmetric key)RS256- RSA with SHA256 hash (asymmetric key)RS384- RSA with SHA384 hash (asymmetric key)RS512- RSA with SHA512 hash (asymmetric key)
Settings structure has the following format:
List of signing methods allows signing method and keys rotation w/out immediate invalidation of the old one, so the tokens signed with old and new methods will be valid.
For backward compatibility the following settings format is also valid: {"secret": "<key>"} that is equal to the new format [{"alg": "HS256", "key", "<key>"}].
Last updated