Setup OAuth Client for Internal Services (Django Oauth Toolkit version)


This probably belongs as a how_to in a repo, but I copied another page to get this up quickly for Juniper where people need to upgrade from DOP to DOT.


Step-by-step guide

1. Create a new worker user with staff access in LMS (usually <service>-worker)

2. Create 2 different OAuth applications at https://<lms>/admin/oauth2_provider/application/
   

  1.        Client_id: <autogenerated>
           User: select <service> worker that you created with app-permissions
           Redirect Uris: <blank>
           Client type: Confidential
           Authorization grant type: Client credentials
           Client secret: <autogenerated> (not sure if autogenerated is secure enough for prod)
           Name: <service>-backend-service

  2.        Client_id: <autogenerated>
           User: select <service> worker that you created with app-permissions
           Redirect Uris: https://<service_url>/complete/edx-oauth2/
           Client type: Confidential
           Authorization grant type: Authorization code
           Client secret: <autogenerated> (not sure if autogenerated is secure enough for prod)
           Name: <service>-sso
           Skip Authorization: checked

Also see this devstack script for creating the oauth applications.

  1. Add a user_id application access scope for the new <service>-sso app here:
    https://courses-internal.edx.org/admin/oauth_dispatch/applicationaccess
    1. Note: This is handled by the management command in the devstack script and is only needed if doing this manually.
  2. Set the following keys in the configuration settings of your service
SOCIAL_AUTH_EDX_OAUTH2_KEY = '<service-sso-key>'
SOCIAL_AUTH_EDX_OAUTH2_SECRET = '<service-sso-secret>'
SOCIAL_AUTH_EDX_OAUTH2_ISSUER = 'https://<lms_url>'
SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT = 'https://<lms>'
SOCIAL_AUTH_EDX_OAUTH2_LOGOUT_URL = 'https:<lms>/logout'
BACKEND_SERVICE_EDX_OAUTH2_KEY = '<service-backend-service-key>'
BACKEND_SERVICE_EDX_OAUTH2_SECRET = '<service-backend-service-secret>' 

Explanation of all the oauth admin pages


Section NameURLDescriptionActively used

Django OAuth Toolkit

/oauth2_provider/Currently used oauth2 provideryes

Oauth_Dispatch

/oauth_dispatch/applicationaccess/This is where we give applications access to certain scopesyes