OAuth2 – CMiC Configuration

Note This article is still under construction. More information will be provided in the upcoming weeks.

Overview

CMiC OAuth2 support is based on the JWT Access token and has registered key details (appid, issuer uri, jwks uri) in CMiC that will be used to validate requests it will accept.

The access token is passed in the Authorization header and the Bearer {access token} value.

Note For OAuth2 to be supported the whole environment will be switched, we suggest a separate environment is created for OAuth2 rather than modifying the existing one.

Requirements

  1. Register the application in Azure. Alternatively, use an existing one that is going to serve back JWT access tokens.

  2. Gather the following three pieces of information:

    1. Application (client) ID

      1. This is the unique identifier for the registered application.

      2. Review How to Get Application ID.

    2. Token Issuer

      1. The issuer who is going to generate your JWT access token.

      2. ex. https://sts.windows.net/{azure_tenant_id}/

        • Replace {azure_tenant_id} with the tenant of the application.

      3. Can be found in the openid-configuration.

      4. Review How to Get Issuer and jwks_uri.

    3. Jwks uri (Json web key set)

      1. The key set which is used to sign the JWT access token.

      2. This can be found in the openid-configuration.

      3. Review How to Get Issuer and jwks_uri.

Information Inserted into CMiC

The following information needs to be inserted into CMiC:

Copy 
insert into da.sdapi_app_registration_tn t
(APIIA_APPLICATION_ID, APIIA_ISSUER_URI, APIIA_JWKS_URI)
values
('{application id}', '{issuer_uri}', '{jwks_uri}');

Example

Copy 
insert into da.sdapi_app_registration_tn t
(APIIA_APPLICATION_ID, APIIA_ISSUER_URI, APIIA_JWKS_URI)
values
('12345', 'https://sts.windows.net/{tenant_id}/', 'https://login.windows.net/common/discovery/keys');

List of CMiC App Properties

The following describes the different cmicapp.properties and what they're used for.

cmic.oauth2.ipcheck.enabled

To enable or disable the IP check. This is enabled by default.

cmic.oauth2.remove.domainFromUser

To remove the domain from the CMiC user. For example, if the property value is cmic.ca, then all emails with @cmic.ca will be removed and only the username portion will be passed as the CMiC user.

cmic.oauth2.user.claim.name

This is a specific token claim which holds the CMiC username.