Skip to main content
Version: 14.x

OAuth Login Site Configuration

This service can be added to your project by visiting Mia-Platform Marketplace and creating a new microservice from the OAuth Login Site plugin.

The OAuth Login Site plugin does not require any configuration file.

Environment variables

  • HTTP_PORT (required, default 8080): port where the web server is exposed.

Integration with Authentication Services

The OAuth login site can be used in conjunction with the Mia-Platform authentication services Auth0 Client and Authentication Service.

Since the v8.0.0, such services need to be properly configured to work with the login site, as explained in the following paragraphs.

Preliminary configuration

The login sites exposes the /web-login endpoint: you need to publicly expose it in your project.

Auth0 client configuration

If you have the Auth0-client configured in your project, make sure that the client configuration in the config map contains the authorizeStateRequired: true flag.

Make sure the /authorize endpoint of the auth0-client is correctly exposed.

To let your users login through the login site, redirect them through the following URL:

https://some-project.example.org/web-login?redirect=<redirect-url>

The query string redirect is in turn added to the /authorize endpoint, and it is not therefore required. A state is generated and stored for later checks, and sent as query parameter to the /authorize endpoint.

Redirect callback

After a user is redirected to the provider and successfully logins, they are redirected to the /web-login/callback?code=<code>&state=<state> page; the login site checks that the state is equal to the initially generated one, if it doesn't an error is displayed and the auth flow is interrupted. This security measure is in place to avoid CSRF attacks, as required by OAuth2.0 RFC.

If the state check passes, the Auth0-client /oauth/token is called, and the user is given a token and finally redirected to the web application.

Authentication Service

If you use the Authentication Service, make sure that the configuration in the config map contains the authorizeStateRequired: true under the app with the appId you want to use for users authentication.

Make sure the /authorize endpoint of the authentication-service is correctly exposed.

To let your users login through the login site, redirect them through the following URL:

https://some-project.example.org/web-login?appId=<the-app-id>&redirect=<redirect-url>

Please note that the appId query string is required.

After a user is redirected to the above url, the login site contact the authentication service to retrieve a list of the external authentication providers configured with the specified app.

The user will be presented a list of buttons, each one corresponding to a provider; once the user clicks a button, the login site will redirect to the /authorize endpoint, with the following query string parameters:

  • redirect: added only if specified in the initial /web-login request;
  • appId: corresponds to the one specified in the /web-login request;
  • providerId: depends on the provider chosen by the user;
  • state: generated by the login site, it will be checked for consistency later on during the auth flow;

Redirect callback

After a user is redirected to the provider and successfully logins, they are redirected to the /web-login/oauth/callback?code=<code>&state=<state> page; the login site checks that the state is equal to the initially generated one, if it doesn't an error is displayed and the auth flow is interrupted. This security measure is in place to avoid CSRF attacks, as required by Oauth2.0 RFC.

If the state check passes, the Authentication Service /oauth/token endpoint is called, and the user is given an access token and finally redirected to the web application.