Authenticating to the MyID Core API

10.2 Authenticating to the MyID Core API

The MyID Core API (rest.core) requires authentication through the MyID web.oauth2 service.

You must configure the web.oauth2 service to add a new client to be used by your website, and configure it to allow end-user authentication.

10.2.1 Adding the API client

The sample API website uses a new client called myid.mywebsite – you must add this client to the configuration of the web.oauth2 service.

First, create a custom client configuration file.

On the MyID web server, navigate to the CustomClients folder.

By default, this is:

C:\Program Files\Intercede\MyID\web.oauth2\CustomClients\

If this folder does not already exist, create it.
In a text editor, create a .json file to contain your client configuration.

You can use any filename with a .json extension; you are recommended to use the name you have provided for the client as the filename.

You can create a custom .json file for each client that you want to add. You can include only one client in each file, but you can have multiple files if you need multiple clients. These clients are added to the Clients array from the appsettings.json file. You must use a unique ClientID; if you use the same ClientID in a custom file as an already existing client in the appsettings file, the information from the custom file completely replaces the information in the appsettings.json or appsettings.Production.json override file.

The order of precedence is:
- any .json file in the CustomClients folder.
- appsettings.Production.json
- appsettings.json
Note: The appsettings.Production.json file overrides the appsettings.json file not by using the client ID, but by the index of the entry in the Clients array. For this reason, you are recommended not to use the appsettings.Production.json file to provide the details of custom clients, but to use separate files in the CustomClients folder instead.

Now that you have a custom client configuration file, you can edit it to add your client details:

Copy

{
    "ClientId": "myid.mywebsite",
    "ClientName": "My Website",
    "AccessTokenLifetime": "3600",
    "AllowedGrantTypes": [
        "authorization_code"
    ],
    "RequireClientSecret": false,
    "RequirePkce": true,
    "AllowAccessTokensViaBrowser": true,
    "RequireConsent": false,
    "AllowedScopes": [
        "myid.rest.basic"
    ],
    "RedirectUris": [
        "<website URL>"
    ],
    "AllowedCorsOrigins": [
        "<website origin>"
    ]
}

Where:

<website URL> – the location of the website to which the authentication server will return the authorization code. In this single-page example, this is the same URL as you use to request the authorization code.

If you have multiple web pages on your website to which you want the authentication server to return an authorization code, you can add them to this array, separated by commas; for example:
Copy
```
"RedirectUris": [
  "http://127.0.0.1:5500/",
  "http://127.0.0.1:5500/page1.html",
  "http://127.0.0.1:5500/page2.html"
],
```
For this worked example, however, you keep reusing the same index.html file, so if you are using the Live Server extension for Visual Studio Code as your local web server, you can use:
Copy
```
"RedirectUris": [
  "http://127.0.0.1:5500/"
],
```
<website origin> – used for Cross-Origin Resource Sharing (CORS). If the web page that calls the authentication service is on a different web server from the authentication service, you must add the origin to this list.

Note: Make sure you use an origin, and not an URL, when configuring CORS. For example: https://myserver/ is an URL, while https://myserver is an origin – there is no trailing slash on an origin.

For this worked example, if you are using the Live Server extension for Visual Studio Code as your local web server, you can use:
Copy
```
"AllowedCorsOrigins": [
    "http://127.0.0.1:5500"
]
```

For example, assuming you are using the Live Server extension for Visual Studio Code, the <website URL> and <website origin> are as follows:

Copy

{
  "ClientId":"myid.mywebsite",
  "ClientName":"My Website",
  "AccessTokenLifetime":"3600",
  "AllowedGrantTypes":[
    "authorization_code"
  ],
  "RequireClientSecret":false,
  "RequirePkce":true,
  "AllowAccessTokensViaBrowser":true,
  "RequireConsent":false,
  "AllowedScopes":[
    "myid.rest.basic"
  ],
  "RedirectUris":[
    "http://127.0.0.1:5500/"
  ],
  "AllowedCorsOrigins":[
    "http://127.0.0.1:5500"
  ]
}

10.2.2 Configuring the MyID Core API for CORS

In the configuration for the web.oauth2 web service, you added the origin of your sample website to the AllowedCorsOrigins setting. You must also configure the rest.core service to allow the same origin.

In a text editor, open the appsettings.Production.json file for the rest.core service.

By default, this is:

C:\Program Files\Intercede\MyID\rest.core\appsettings.Production.json

This file is the override configuration file for the appsettings.json file for the web service. If this file does not already exist, you must create it in the same folder as the appsettings.json file, and include the following:

Copy

{
  "MyID":{
    "Cors":{
      "AllowedOrigins":[
        "<website origin>"
      ]
    }
  }
}

where:

<website origin> is the server from which you are going to call the API. You can add multiple origins if necessary.

Note: Make sure you use an origin, and not an URL, when configuring CORS. For example: https://myserver/ is an URL, while https://myserver is an origin – there is no trailing slash on an origin.

If the appsettings.Production.json file already exists, add the above to the Cors:AllowedOrigins section of the file.

For example:

Copy

{
  "MyID":{
    "Cors":{
      "AllowedOrigins":[
        "http://127.0.0.1:5500"
      ]
    }
  }
}

10.2.3 Refreshing the web server settings

Once you have made your changes to the web.oath2 and rest.core server settings, you must refresh the application pools to ensure that all the systems are using the latest settings.

To refresh the server settings:

Recycle the web service app pools:
1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
3. Right-click the myid.rest.core.pool application pool, then from the pop-up menu click Recycle.
This ensures that the web services have picked up the changes to the configuration file.
Check that the web.oauth2 and rest.core servers are still operational by logging on to the MyID Operator Client.

Application setting JSON files are sensitive to such issues as comma placement; if the format of the file is not correct, the web service cannot load the file and will not operate, which may result in an error similar to:

HTTP Error 500.30 - ANCM In-Process Start Failure