# Set the client ID of your calling system
$client_id = "myid.mysystem"

# Generate a new GUID to use as the shared secret
$secret = (New-Guid).ToString()

# Hash the new GUID using SHA-256
$hasher = [System.Security.Cryptography.HashAlgorithm]::Create("sha256")
$hashOfSecret = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($secret))

# Convert the hashed secret to Base64
$clientSecret = [Convert]::ToBase64String($hashOfSecret)

# Combine the client ID and secret into a single Base64 authorization token
$both = "$client_id`:$secret"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($both)
$combined =[Convert]::ToBase64String($bytes)

# Output the results
Write-Output ("`r`nThe shared secret is: `r`n`r`n$secret")
Write-Output ("`r`nAnd the hash of the shared secret in base64 is:`r`n`r`n$clientSecret" )
Write-Output ("`r`nStore this value in the ClientSecrets of the web.oauth2 appsettings file.")
Write-Output ("`r`nThe combined string of the client ID and the shared secret is:`r`n`r`n$both")
Write-Output ("`r`nAnd in base64 this is: `r`n`r`n$combined")
Write-Output ("`r`nUse this value to request an access token from the web service.")

# Wait for a keypress
Write-Host "`r`nPress any key to continue...`r`n" -ForegroundColor Yellow
[void][System.Console]::ReadKey($true)

PS C:\Intercede> .\secret.ps1

The shared secret is:

82564d6e-c4a6-4f64-a6d4-cac43781c67c

And the hash of the shared secret in base64 is:

kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk=

Store this value in the ClientSecrets of the web.oauth2 appsettings file.

The combined string of the client ID and the shared secret is:

myid.mysystem:82564d6e-c4a6-4f64-a6d4-cac43781c67c

And in base64 this is:

bXlpZC5teXN5c3RlbTo4MjU2NGQ2ZS1jNGE2LTRmNjQtYTZkNC1jYWM0Mzc4MWM2N2M=

Use this value to request an access token from the web service.

Press any key to continue...

3.2.2 Configuring the authentication service

Once you have created a Base64 version of the hash of the shared secret, you can configure the web.oauth2 server.

First, create a custom client configuration file.

1. On the MyID web server, navigate to the CustomClients folder.

   By default, this is:

   C:\Program Files\Intercede\MyID\web.oauth2\CustomClients\

   If this folder does not already exist, create it.

2. In a text editor, create a .json file to contain your client configuration.

   You can use any filename with a .json extension; you are recommended to use the name you have provided for the client as the filename.

   You can create a custom .json file for each client that you want to add. You can include only one client in each file, but you can have multiple files if you need multiple clients. These clients are added to the Clients array from the appsettings.json file. You must use a unique ClientID; if you use the same ClientID in a custom file as an already existing client in the appsettings file, the information from the custom file completely replaces the information in the appsettings.json or appsettings.Production.json override file.

   The order of precedence is:

   • any .json file in the CustomClients folder.

   • appsettings.Production.json

   • appsettings.json

   Note: The appsettings.Production.json file overrides the appsettings.json file not by using the client ID, but by the index of the entry in the Clients array. For this reason, you are recommended not to use the appsettings.Production.json file to provide the details of custom clients, but to use separate files in the CustomClients folder instead.

For more information about custom configuration files, see section 11, Custom configuration files.

Now that you have a custom client configuration file, you can add your client details:

1. Edit the new file to include the following:

   Copy

   {
     "ClientId":"<my client ID>",
     "ClientName":"<my client name>",
     "AccessTokenLifetime":"<time>",
     "AllowedGrantTypes":[
       "client_credentials"
     ],
     "ClientSecrets":[
       {
         "Value":"<secret>"
       }
     ],
     "AllowedScopes":[
       "myid.rest.basic"
     ],
     "Properties":{
       "MyIDLogonName":"<my user account>"
     }
   }

   where:

   • <my client ID> – the client ID you decided on; for example:

     myid.mysystem

   • <my client name> – an easily readable name for your client system; for example:

     My External System

   • <time> – the time (in seconds) that the client credential is valid. The default is 3600 – 1 hour.

   • <secret> – the Base64-encoded SHA-256 hash of the secret you created; for example:

     kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk=

   • <my user account> – the logon name of the user you created to run the API; for example:

     api.external

   For example:

   Copy

   {
     "ClientId":"myid.mysystem",
     "ClientName":"My External System",
     "AccessTokenLifetime":"3600",
     "AllowedGrantTypes":[
       "client_credentials"
     ],
     "ClientSecrets":[
       {
         "Value":"kv31VP5z/oKS0QMMaIfZ2UrhmQOdgAPpXV/vaF1cymk="
       }
     ],
     "AllowedScopes":[
       "myid.rest.basic"
     ],
     "Properties":{
       "MyIDLogonName":"api.external"
     }
   }

2. Save the configuration file.

3. Recycle the web service app pool:

   1. On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
   2. Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.

   This ensures that the web service has picked up the changes to the configuration file.

4. Check that the web.oauth2 server is still operational by logging on to the MyID Operator Client.

   Application setting JSON files are sensitive to such issues as comma placement; if the format of the file is not correct, the web service cannot load the file and will not operate, which may result in an error similar to:

   HTTP Error 500.30 - ANCM In-Process Start Failure

   See section 14, Troubleshooting for information on resolving problems that cause HTTP Error 500.30.