REST UI for OAuth 2.0 and OIDC (JSP-Loginapp migration)

This article gives an overview of the tasks necessary when migrating from Loginapp JSP to REST UI.

Prerequisites

  • The AS-centric authorization server and the authorization code flow configuration must be completed.

Authentication Flow

Applications authenticating against an OAuth 2.0 authorization server require an Authentication Flow to replace the existing OAuth 2.0 AS Access Config.

  1. Target Application
  2. Go to:
    Loginapp >> Authentication Flows >> Applications
  3. Create a new Target Application with
    • Create an Airlock Gateway (WAF) Mapping Roles (Credentials) to migrate the existing OAuth 2.0 AS Access Config.
    • Create an OAuth 2.0/OIDC ID Propagator plugin in the Identity Propagation property.
  4. A target application with identity propagation has been created.
  1. Authentication flow
  2. Create an Authentication Flow plugin in the Target Application
  3. Configure the following steps:
    • Start the Authentication Flow with a user identifying step (e.g. Username Password Authentication Step plugin).
      • Optionally add additional authentication steps.
    • Configure the last authentication step to provide the tag authenticated on success.
      • Optionally: add a skip condition for the authenticated tag to provide the same behavior for existing sessions as in the JSP Loginapp.
    • Create an OAuth 2.0 Consent Step plugin after the authentication steps.
    • Create Tags and Conditions to migrate the existing Role Transformation Rules and Specific Access Policy of the OAuth 2.0 AS Access Config.
  4. Optionally: Create an Authorization Flow plugin in the Target Application
    • Create Required Role Step and Terms of Service Step plugins to migrate the existing OAuth 2.0 AS Access Config.
  5. The target application is configured with authentication and authorization flows.

It is possible to modify an existing authentication flow to be used for OAuth 2.0.

Please be aware that changing an existing flow may affect the authentication behavior of this application. Especially when adding new tags and conditions.

Authorization Server

  1. Loginapp REST UI
  2. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}}
  3. Remove the OAuth 2.0 Legacy JSP Application UI plugin from the Application UI property.
    An empty Application UI property will automatically use the Loginapp REST UI.
  4. The authorization server will use the correct UI.
  1. Authorization Server
  2. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code Flow
  3. In the Section Flow Settings
    • Configure the Flow Application ID. If left empty, the default target application will be used.
    • Optionally configure ACR to Flow Application ID to migrate existing OIDC ID Token ACR Value Mapping.
    • If remote consent is used, configure an OAuth 2.0 Custom Scopes Flow Settings plugin that allows all scopes in the Scope Flow Settings property. This plugin will migrate the existing behavior and send all scopes requested by the client to the remote consent server.
    • Optionally configure the Login Hint plugin to migrate the existing configuration. Remove the Login Hint configuration from the JSP Loginapp Settings section.
  4. In the section User Interface
    • If remote consent is used configure an OAuth 2.0 Remote Consent plugin in the Consent property.
    • Optionally adjust the Callback URL property to point to the new Loginapp REST UI (ui/app/auth/oauth2/consent/confirm).
    • Optionally configure an OAuth 2.0 Scope Translator to provide human-readable translations of scopes.
  5. The authorization server will use the correct authentication flow and handle ACR, consents, and scopes.