Once Curity has been installed, it is time to configure it for the first time. This tutorials will setup the basic configuration so that the following is running:
- An Authentication service
- A token service for OAuth and OpenID Connect
We'll rely on the HSQL Database, which is a file based database that cannot be used in production but is contained in the installation, and is useful to quickly get up and running..
Admin UI Overview¶
Login to the Admin UI at https://localhost:6749/admin (or the host where the machine is deployed). Enter the username
admin and the password you set during the installation.
When the system is unconfigured you'll see an option to use the basic setup wizard which we will be using in this tutorial.
- The sidebar will change depending on what section is visited
- The System menu takes you to system wide settings such as deployments, events and procedures
- The Profile menu defines the server functions
- The Changes menu, here the configuration changes are applied, viewed or cancelled.
- The User menu, manage admin users.
- The Facilities menu, all helper services such as data sources, certificates and email or sms services
The Basic Setup Wizard¶
To get started click the Basic Setup button and walk through the first wizard. All configuration is possible to setup and change after the wizard. It sets up the system in a good starting state.
Token and Session Data Source¶
The first screen sets up the data source to store tokens and sessions. It can connect to a number of backends, but to get started quickly, just click next. This will setup an HSQL data source for tokens and sessions called
default-datasource. This cannot be used in production and will not work with clusters.
User Data Source¶
The users can be stored in different data stores such as SQL, LDAP, SCIM, REST APIs etc. If you don't have any user stores yet, you can use the same test db as the previous step and just click next.
The hashing algorithm will be used when storing user passwords. The default is ok for a new system.
If the system should be able to send emails for authentication or registration, configure an SMTP service here, otherwise just click next. If you don't know right now, this can be added via the Facilities menu later on.
If the system should be able to send SMS messages for authentication, configure an SMS service here, otherwise just click next. If you don't know right now, this can be added via the Facilities menu later on.
Add your license by uploading the file or drag-and-drop it to the area in the wizard. The license can be downloaded from your license page in the developer portal. If don't have a license currently, this can be added later via the System screen and General page from the sidebar.
Curity needs keys for SSL. Either upload existing keys here, or generate new keys with self signed certificates for testing. To generate keys click "Generate New" and enter the three fields. Then click next.
Curity needs keys for Signing tokens. Either upload existing keys here, or generate new keys with self signed certificates for testing. To generate keys click "Generate New" and enter the three fields. Then click next.
Token Service Capabilities¶
The Token Service profile is the heart of OAuth and OpenID Connect. The profile can be restricted as to which flows are allowed to run. By default this wizard suggest all flows to be enabled. You can change this later from the "Token Service" General page.
Whenever changes are made in the UI they are not deployed to the server until the admin commits them. They are kept in a transaction, that will be validated when committed. This ensures that all new configuration states are correct and that no config is invalid. The wizard now lets you commit these directly, or later by selecting Changes menu -> Commit. If you're happy with the new setup, simply click commit directly in the wizard.
All changes are now applied.
The basic setup wizard has now created a system that contains the following:
- An Authentication Profile for user authentication
- A Token profile for OAuth and OpenID Connect
- A deployment (
service-role): The runtime configuration needed by the runtime nodes
- One or Two data-sources: one for tokens and optionally a second one for users
- An Email provider (if selected)
- An SMS provider (if selected)
- SSL certificates and signing keys
The system is now ready for some OAuth and OpenID Connect. But before we start making OAuth calls we should setup user authentication. In the next tutorial a username password authenticator is configured using the data source we defined in this tutorial.