Setup OAuth Client for Internal Services (Django Oauth Toolkit version)
This probably belongs as a how_to in a repo, but I copied another page to get this up quickly for Juniper where people need to upgrade from DOP to DOT.
Step-by-step guide
1. Create a new worker user with staff access in LMS (usually <service>-worker)
- If you are migrating from DOP to DOT, you probably already have this service worker.
- Also see this devstack script for creating the service worker.
2. Create 2 different OAuth applications at https://<lms>/admin/oauth2_provider/application/
- Client_id: <autogenerated>
User: select <service> worker that you created with app-permissions
Redirect Uris: <blank>
Client type: Confidential
Authorization grant type: Client credentials
Client secret: <autogenerated> (not sure if autogenerated is secure enough for prod)
Name: <service>-backend-service - Client_id: <autogenerated>
User: select <service> worker that you created with app-permissions
Redirect Uris: https://<service_url>/complete/edx-oauth2/
Client type: Confidential
Authorization grant type: Authorization code
Client secret: <autogenerated> (not sure if autogenerated is secure enough for prod)
Name: <service>-sso
Skip Authorization: checked
Also see this devstack script for creating the oauth applications.
- Add a
user_id
application access scope for the new <service>-sso app here:
https://courses-internal.edx.org/admin/oauth_dispatch/applicationaccess- Note: This is handled by the management command in the devstack script and is only needed if doing this manually.
- Set the following keys in the configuration settings of your service
SOCIAL_AUTH_EDX_OAUTH2_KEY = '<service-sso-key>' SOCIAL_AUTH_EDX_OAUTH2_SECRET = '<service-sso-secret>' SOCIAL_AUTH_EDX_OAUTH2_ISSUER = 'https://<lms_url>' SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT = 'https://<lms>' SOCIAL_AUTH_EDX_OAUTH2_LOGOUT_URL = 'https:<lms>/logout' BACKEND_SERVICE_EDX_OAUTH2_KEY = '<service-backend-service-key>' BACKEND_SERVICE_EDX_OAUTH2_SECRET = '<service-backend-service-secret>'
Explanation of all the oauth admin pages
Section Name | URL | Description | Actively used |
---|---|---|---|
Django OAuth Toolkit | /oauth2_provider/ | Currently used oauth2 provider | yes |
Oauth_Dispatch | /oauth_dispatch/applicationaccess/ | This is where we give applications access to certain scopes | yes |