3.2 Configuring web.oauth2 for server-to-server authentication
The MyID authentication web service is called web.oauth2; you must configure this web service to allow access to the API. For server-to-server authentication, you do this using a client credential grant, which you request using a shared secret.
Note: Before you begin, you must decide on a client ID for your external system; for example, myid.mysystem. This represents your back-end system that intends to make calls to the MyID Core API.
3.2.1 Creating a shared secret
Important: You must keep the shared secret safe. This information can be used to grant authorization to the API, so must be an unguessable value; for this reason, you are recommended to generate a GUID for the shared secret.
To create a shared secret:
-
Generate a GUID to use as the secret.
For example:
82564d6e-c4a6-4f64-a6d4-cac43781c67c
-
Create a hash of this GUID using SHA-256, and convert it to Base64.
For example:
kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk=
You need this value for the web.oauth2 server. The server does not store the secret, only the hash.
Important: Do not use this example secret in your own system.
-
Combine your client ID, a colon, and the GUID secret:
For example:
myid.mysystem:82564d6e-c4a6-4f64-a6d4-cac43781c67c
-
Convert this string to Base64.
For example:
bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=
This is the value you will send in the Authorization header for HTTP basic authentication when requesting the access token; alternatively, you can pass the client ID and the shared secret separately in the body as client_id and client_secret parameters.
3.2.1.1 Example
The following PowerShell example script shows the process for generating a shared secret and creating the hash and Base64 versions you need to configure the web.oauth2 server and request an access token.
# Set the client ID of your calling system
$client_id = "myid.mysystem"
# Generate a new GUID to use as the shared secret
$secret = (New-Guid).ToString()
# Hash the new GUID using SHA-256
$hasher = [System.Security.Cryptography.HashAlgorithm]::Create("sha256")
$hashOfSecret = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($secret))
# Convert the hashed secret to Base64
$clientSecret = [Convert]::ToBase64String($hashOfSecret)
# Combine the client ID and secret into a single Base64 authorization token
$both = "$client_id`:$secret"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($both)
$combined =[Convert]::ToBase64String($bytes)
# Output the results
Write-Output ("`r`nThe shared secret is: `r`n`r`n$secret")
Write-Output ("`r`nAnd the hash of the shared secret in base64 is:`r`n`r`n$clientSecret" )
Write-Output ("`r`nStore this value in the ClientSecrets of the web.oauth2 appsettings file.")
Write-Output ("`r`nThe combined string of the client ID and the shared secret is:`r`n`r`n$both")
Write-Output ("`r`nAnd in base64 this is: `r`n`r`n$combined")
Write-Output ("`r`nUse this value to request an access token from the web service.")
# Wait for a keypress
Write-Host "`r`nPress any key to continue...`r`n" -ForegroundColor Yellow
[void][System.Console]::ReadKey($true)Example output:
PS C:\Intercede> .\secret.ps1
The shared secret is:
82564d6e-c4a6-4f64-a6d4-cac43781c67c
And the hash of the shared secret in base64 is:
kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk=
Store this value in the ClientSecrets of the web.oauth2 appsettings file.
The combined string of the client ID and the shared secret is:
myid.mysystem:82564d6e-c4a6-4f64-a6d4-cac43781c67c
And in base64 this is:
bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=
Use this value to request an access token from the web service.
Press any key to continue...3.2.2 Configuring the authentication service
Once you have created a Base64 version of the hash of the shared secret, you can configure the web.oauth2 server.
-
In a text editor, open the appsettings.Production.json file for the web service.
By default, this is:
C:\Program Files\Intercede\MyID\web.oauth2\appsettings.Production.json
This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file.
-
Edit the file to include the following:
Copy{
"Clients": [
{
"ClientId": "<my client ID>",
"ClientName": "<my client name>",
"AccessTokenLifetime": <time>,
"AllowedGrantTypes": [
"client_credentials"
],
"ClientSecrets": [
{
"Value": "<secret>"
}
],
"AllowedScopes": [
"myid.rest.basic"
],
"Properties": {
"MyIDLogonName": "<my user account>"
}
}
]
}where:
-
<my client ID> – the client ID you decided on; for example:
myid.mysystem
-
<my client name> – an easily readable name for your client system; for example:
My External System
-
<time> – the time (in seconds) that the client credential is valid. The default is 3600 – 1 hour.
-
<secret> – the Base64-encoded SHA-256 hash of the secret you created; for example:
kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk=
-
<my user account> – the logon name of the user you created to run the API; for example:
api.external
For example:
Copy{
"Clients": [
{
"ClientId": "myid.mysystem",
"ClientName": "My External System",
"AccessTokenLifetime": 3600,
"AllowedGrantTypes": [
"client_credentials"
],
"ClientSecrets": [
{
"Value": "kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk="
}
],
"AllowedScopes": [
"myid.rest.basic"
],
"Properties": {
"MyIDLogonName": "api.external"
}
}
]
}If you already have an appsettings.Production.json file, back up the existing file, then incorporate the new client section above into the file.
Important: If you have clients in the appsettings.json file and the appsettings.Production.json file, make sure the production file does not overwrite the entries in the base file. In these settings files, entries in arrays are determined by their index; therefore if you have four existing entries in the appsettings.json file, you must include four blank array entries {}, in the appsettings.Production.json file before you include your new client details. Alternatively, you can include the entire Clients array in the appsettings.Production.json file.
-
-
Save the configuration file.
-
Recycle the web service app pool:
- On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
- Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web service has picked up the changes to the configuration file.
-
Check that the web.oauth2 server is still operational by logging on to the MyID Operator Client.
Application setting JSON files are sensitive to such issues as comma placement; if the format of the file is not correct, the web service cannot load the file and will not operate, which may result in an error similar to:
HTTP Error 500.30 - ANCM In-Process Start Failure
See section 7, Troubleshooting for information on resolving problems that cause HTTP Error 500.30.