OAuth DSAPI Extension
The OAuth DSAPI Extension allows the Domino server to consume OAuth2 access tokens generated by the IAM service. The OAuth DSAPI extension communicates with the IAM service via OAuth2 Introspection Protocol to determine the user identity and level of authority represented by an access token.
NOTE: As of version 1.0.2 of the Domino AppDev Pack, the OAuth DSAPI extension is an optional component. If your IAM service instance will never be used to introspect an access token for a Domino Access Services (DAS) request, there is no need to configure the OAuth DSAPI extension.
Configuration Overview
The introspection requests from the Domino server are authenticated by the IAM service and therefore require credentials authenticating the Domino server. The communication link is secured by Transport Layer Security (TLS) and requires a certificate that is related to the IAM service certificate.
Prerequisites
Configure the credential store on the Domino server using this guide: Configuring the Domino Credential Store.
You will need the hostname of the IAM service or proxy in front of the service.
Configuration Steps - Linux
Go to the IAM Management Dashboard, click Manage Applications and create a "Resource Provider". This identifies the Domino Server as a resource provider to the IAM service and provides credentials that allow the Domino server to introspect access tokens. After clicking "Create":
- Resource Provider Name:
Name of the Domino server acting as the resource provider. This value is for display only.
- Resource Provider Description:
Descriptive text for the server.
- Click Save. You are shown the Resource Provider ID and Resource Provider Secret. (You can come back to these if needed.)
- Resource Provider Name:
Running as root, unzip the
oauth-dsapi-<version>.tgz
file to the Domino program directory and execute setup.sh.sudo sh -c '(cd /opt/ibm/domino/notes/latest/linux/; tar -xvf oauth-dsapi-<version>.tgz; sh -x setup_dsapi.sh)'
Add the credentials to the Domino credential store.
cd /local/notesdata /opt/ibm/domino/bin/tools/startup /opt/ibm/domino/notes/latest/linux/oauthcfg create <name> <resource provider ID> <resource provider secret> <https://<domino-iam-service host>/token/introspection>
See Introspection Credentials for more details on managing introspection credentials.
Verify that a certificate or certificate chain is stored on the server. This is required for the Domino server to connect to the IAM service using TLS. This should be a PEM formatted certificate or certificate chain that allows the Domino server to verify the authenticity of the IAM service certificate. While this file can be anywhere on the server file system, the suggested location is the notes data directory or subdirectory.
Set the following value in notes.ini:
OAUTH2_DSAPI_KEYRING=<path to certificate or certificate bundle>
Open the Domino directory for the server and locate the server document.
Select the "Internet Protocols" tab and click "Edit Server".
On the http tab, add oauth-dsapi to "DSAPI filter file names"
Save the server document.
Enable the Calendar and Freebusy rest API's.
On the Domino server console type
restart task http
.You should see:
HTTP Server: DSAPI OAuth DSAPI Filter version <version> Loaded successfully
Configuration Steps - Windows
Go to the IAM Management Dashboard, click Manage Applications and create a "Resource Provider". This identifies the Domino Server as a resource provider to the IAM service and provides credentials that allow the Domino server to introspect access tokens. After clicking "Create":
- Resource Provider Name:
Name of the Domino server acting as the resource provider. This value is for display only.
- Resource Provider Description:
Descriptive text for the server.
- Click Save. You are shown the Resource Provider ID and Resource Provider Secret. (You can come back to these if needed.)
- Resource Provider Name:
Unzip the
proton-addin-<version>.zip
file to the Domino program directory.Add the credentials to the Domino credential store.
cd <notes.ini-location>
\<domino-program-directory>\oauthcfg create default <Resource Provider ID> <Resource Provider Secret> <https://<domino-iam-service host>/token/introspection>
See Introspection Credentials for more details on managing introspection credentials.
Verify that a certificate or certificate chain is stored on the server. This is required for the Domino server to connect to the IAM service using TLS. This should be a PEM formatted certificate or certificate chain that allows the Domino server to verify the authenticity of the IAM service certificate. While this file can be anywhere on the server file system, the suggested location is the notes data directory or subdirectory.
Set the following value in notes.ini:
OAUTH2_DSAPI_KEYRING=<path to certificate or certificate bundle>
Open the Domino directory for the server and locate the server document.
Select the "Internet Protocols" tab and click "Edit Server".
On the http tab, add oauth-dsapi to "DSAPI filter file names"
Save the server document.
Enable the Calendar and Freebusy rest API's.
On the Domino server console type
restart task http
.You should see:
HTTP Server: DSAPI OAuth DSAPI Filter version <version> Loaded successfully
Debug
- DEBUG_OAUTH_DSAPI=1 to enable DSAPI tracing.
- DEBUG_OAUTH2=1 to enable core OAuth tracing.