/
Setup OAuth Client for Internal Services (Django Oauth Toolkit version)
Setup OAuth Client for Internal Services (Django Oauth Toolkit version)
This probably belongs as a how_to in a repo, but I copied another page to get this up quickly for Juniper where people need to upgrade from DOP to DOT.
Step-by-step guide
1. Create a new worker user with staff access in LMS (usually <service>-worker)
- If you are migrating from DOP to DOT, you probably already have this service worker.
- Also see this devstack script for creating the service worker.
2. Create 2 different OAuth applications at https://<lms>/admin/oauth2_provider/application/
- Client_id: <autogenerated>
User: select <service> worker that you created with app-permissions
Redirect Uris: <blank>
Client type: Confidential
Authorization grant type: Client credentials
Client secret: <autogenerated> (not sure if autogenerated is secure enough for prod)
Name: <service>-backend-service - Client_id: <autogenerated>
User: select <service> worker that you created with app-permissions
Redirect Uris: https://<service_url>/complete/edx-oauth2/
Client type: Confidential
Authorization grant type: Authorization code
Client secret: <autogenerated> (not sure if autogenerated is secure enough for prod)
Name: <service>-sso
Skip Authorization: checked
Also see this devstack script for creating the oauth applications.
- Add a
user_idapplication access scope for the new <service>-sso app here:
https://courses-internal.edx.org/admin/oauth_dispatch/applicationaccess- Note: This is handled by the management command in the devstack script and is only needed if doing this manually.
- Set the following keys in the configuration settings of your service
SOCIAL_AUTH_EDX_OAUTH2_KEY = '<service-sso-key>' SOCIAL_AUTH_EDX_OAUTH2_SECRET = '<service-sso-secret>' SOCIAL_AUTH_EDX_OAUTH2_ISSUER = 'https://<lms_url>' SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT = 'https://<lms>' SOCIAL_AUTH_EDX_OAUTH2_LOGOUT_URL = 'https:<lms>/logout' BACKEND_SERVICE_EDX_OAUTH2_KEY = '<service-backend-service-key>' BACKEND_SERVICE_EDX_OAUTH2_SECRET = '<service-backend-service-secret>'
Explanation of all the oauth admin pages
| Section Name | URL | Description | Actively used |
|---|---|---|---|
Django OAuth Toolkit | /oauth2_provider/ | Currently used oauth2 provider | yes |
Oauth_Dispatch | /oauth_dispatch/applicationaccess/ | This is where we give applications access to certain scopes | yes |
Looking for labels? They can now be found in the details panel on the floating action bar.
Related content
OAuth Scopes Handoff
OAuth Scopes Handoff
More like this
API Authorization: Enterprise and Masters use cases
API Authorization: Enterprise and Masters use cases
More like this
Authorization
Authorization
More like this
How to authenticate and query edX APIs with Postman
How to authenticate and query edX APIs with Postman
Read with this
Authentication
Authentication
More like this
Create Re-direct URLs for Documentation
Create Re-direct URLs for Documentation
Read with this