Skip to main content

OAuth 2.0

1. Create configuration file

The default data directory is /data/mingdao/script/volume/sso/sso.json, with the following contents:

Note: If 404 still appears after mounting, you can copy the content to json.cn to verify whether the json format is legal

{
"mode": "common-oauth2",
"name": "oauth2",
"oauth2": {
"oauth2Url": "",
"clientId": "",
"clientSecret": "",
"idParamName": "client_id",
"secretParamName": "client_secret",
"accessTokenParamName": "access_token",
"redirectUri": "",
"authorizePath": "/authorize",
"tokenPath": "/access_token",
"userInfoUrl": "",
"params": {
"UserId": "uid",
"Name": "name",
"Email": "email",
"Mobile": "mobilePhone",
"Positions": "positions",
"Departments":"departments"
},
"autoRegister": true,
"projectId": ""
}
}

Some parameters and explanations

ParametersTypeRequiredMeaning
oauth2.oauth2UrlStringYesoauth2 identity service address; such as http://192.168.10.80/oauth2
oauth2.clientIdStringYesClient Id distributed to the application
oauth2.clientSecretStringYesThe client secret distributed to the application
oauth2.idParamNameStringYesThe parameter name mapped by client_id, depending on the authorizePath and tokenPath interface request parameters; generally set to client_id
oauth2.secretParamNameStringYesThe parameter name mapped by client_secret, depending on the authorizePath and tokenPath interface request parameters; generally set to client_secret
oauth2.accessTokenParamNameStringNoThe parameter name of access_token mapping, depending on the parameters returned by the tokenPath interface; the default is accessToken
oauth2.redirectUriStringYesCallback address; usually set to {server}/orgsso/oauth2; such as http://192.168.10.20:8880/orgsso/oauth2
oauth2.authorizePathStringYesauthorize access path, spliced ​​into oauth2Url/authorizePath; generally set to /authorize
oauth2.tokenPathStringYesGet the access token interface path, spliced ​​into oauth2Url/tokenPath; generally set to /access_token Return parameter requirements
oauth2.userInfoUrlStringYesObtain user information interface complete address; such as: http://{host}/getUserInfo, the final request url will automatically carry the token parameter; for example: http://192.168.10.80 /getUserInfo?{tokenKeyParamName}={access_token} Return parameter requirements
oauth2.tokenKeyParamNameStringNoGet the parameter name of access_token passed by user information, the default is token
oauth2.authorizationMethodStringNoParameter (client_id/client_secret) value transfer method; optional parameters are [header, body]; default header
oauth2.bodyFormatStringNoParameter request format content-type is application/json or application/x-www-form-urlencoded; optional parameters are [form,json]; default form
oauth2.paramsObjectYesReturns the user information field mapping rules, the key is a fixed field and the value is configured according to the actual user information; Parameter configuration method
oauth2.params.UserIdStringYesUser unique identifier
oauth2.params.NameStringNoUser name, if the user already exists, it will be automatically overwritten
oauth2.params.EmailStringNoEmail; this field must be set when searching or registering through email; Either email or mobile phone number must be set; if a third-party relationship has been bound, Users can be found through relationships, and the email or mobile phone does not need to be set
oauth2.params.MobileStringNoMobile phone number; this field must be set to search or register by mobile phone number;
oauth2.params.PositionsArrayNoPosition; automatically updates the user's position, there is no automatic creation
oauth2.params.DepartmentsArrayNoDepartment; automatically update the user's department, there is no automatic creation
autoRegisterBooleanNoWhether to automatically create an account when the account does not exist; the default is true
projectIdStringYesHAP organization number; Organization Management (upper right corner) > Organization Information (page) > Organization Number ID; (Multi-organization single sign-on does not require configuring this parameter,See step 3 for how to configure it); such as 1x-2x-3x-4x-5x

Interaction diagram ticket

The interface for obtaining access tokens needs to meet the following requirements: -Support POST method call, as shown below:

The return value is in JSON format and must meet the following format:

{
"access_token": "wQ7kZ5iJ1lK9iU0mJ2oH4rN0uW8gI1vV4fR1jC7yG8yX4gP2qK6mH1iS7iX4zQ1w",
"expires_in": 7200 // unit seconds
}

The interface for obtaining user information needs to meet the following requirements: -Supports GET method calling (refer to userInfoUrl parameter description) The return value is in JSON format and must meet the following format:

{
"data": {
"uid": "userid",
"name": "name",
"email": "email",
"mobilePhone": "mobile phone number",
"positions":["position1","position2"],
"departments":["department1","department2"]
}
}

As shown in the above return value, the configuration of params is:

"params": {
"UserId": "uid",
"Name": "name",
"Email": "email",
"Mobile": "mobilePhone",
"Positions": "positions",
"Departments":"departments"
}

2. Mount configuration file

Modify the docker-compose.yaml corresponding to the microservice application, the default path is /data/mingdao/script/docker-compose.yaml, add file mounting in volumes and restart the microservice application.

- ./volume/sso/sso.json:/usr/local/MDPrivateDeployment/sso/OptionFile/sso.json

If you need to bind a third-party association ID, you need to create the file extend.json. The default path is /data/mingdao/script/volume/sso/extend.json and the content is as follows

{
"relation": true
}

Add mounting files

- ./volume/sso/extend.json:/usr/local/MDPrivateDeployment/sso/extend.json
tip

After the mounting configuration is completed, the microservice application needs to be restarted. After the restart is successful, you can access the {server}/orgsso/checkssoconfig interface through GET to check whether the configuration file is successfully mounted.

3. Single sign-on

Single Organization Browser access: {server}/orgsso/sso?returnUrl={returnUrl}

Multiple Organizations Browser access: {server}/orgsso/sso?returnUrl={returnUrl}&appKey={appKey}&sign={sign}&timestamp={timestamp}&projectId={projectId}

For multi-organization projectId needs to be passed through parameters, and enterprise authorization authentication parameters are also required;

For enterprise authentication and authorization signature algorithm, please refer to: https://www.showdoc.com.cn/mingdao/15539798

note

{server} is the HAP system address, for example, it can be replaced with: http://192.168.10.20:8880

{returnUrl} is the jump address after successful login, does not need to be filled in; for example, if you need to jump to the application page, it can be replaced with: http://192.168.10.20:8880/app/cf595091-e3ac-4669 -a320-068e55533c33/64477b37df36209b5f36f1cf/64477b4f61655012a90ed994?from=insite

If an SSO Error prompt appears during the access process, you can log in to the HAP system through the administrator account, click the avatar in the upper right corner: System Configuration > Log; search for the service name as sso, and check the specific cause of the error.