Configure AxAuth IDP for End-User Applications

The AxAuth IDP is a managed ID Provider supported by Mosaic User Service. AxAuth serves the special purpose of maintaining a standalone user store for an end-user application. If the end-user application intends to give a user sign up feature, in addition to enabling authentication from known IDPs, the developers can use AxAuth to deliver this functionality.

This article describes how a User Store in AxAuth can be configured to be used in the User Service.

Configuring AxAuth IDP for end-user application user management requires the Mosaic environment to have both AxAuth and User services enabled.

After the environment has AxAuth service enabled, in the Service Configuration station in the environment, you will find the following tile related to the configuration of AxAuth service.

Click on User Stores tile. It will navigate you to the User Stores explorer station.

Click on the New button on the top right corner. That will navigate you to the New User Store station.

Specify a name for the user store. Pick the category as end-user, since we’re configuring this user store to be used with end-user applications, and then define the User Sign Up Webhook and Forgot Password Webhook.

The User Sign Up Webhook handles the user sign up flow, and should eventually call the completeUserSignUp mutation exposed by the User Service graphql endpoint.

The Forgot Password Webhook handles the password reset flow, and should eventually call the completeEndUserPasswordReset mutation as the final step.

After filling in the details, it should look similar to figure 5. Click on Proceed to save the configuration.

After clicking on Proceed, you will be taken to the User Store Details station. It should display the settings you just configured.

The next step is to create an OAuth client to be used in the User Service IDP Connection configuration. To do this, click on the OAuth Clients button in the side pane. This will take you to the OAuth Client explorer station. Click on the New button on the top right corner.

Give a name to the new OAuth Client and define the Allowed Redirect URLs. Click on Proceed to save.

This station gives you one more option related to the OAuth Client you just created. That is to allow user sign up. Since we’re configuring the OAuth Client for an end-user application and we need the users to give the ability to sign up for our application themselves, we can leave this property checked.

There is two very important pieces of information in this station, which are the Client ID and the Client Secret for the OAuth Client. These two values are required when we configure the IDP Connection in User Service, so copy it for later use.

If there is any requirement to create a new Client Secret, that can be done using the Re-Generate Client Secret option in the side pane.

The AxAuth IDP is a supported managed IDP in User Service. So we need to define the OAuth Client we just configured in AxAuth User Store as a IDP Connection.

Navigate to the Service Configuration station in your environment, and click on the IDP Connections tile.

You will be navigated to the IDP Connections Explorer station. Click on the New button on the top right corner.

This will take you to the New IDP Connection station. Select AxAuth as the Provider and give an appropriate title for the connection. Then click Proceed.

You will be taken to the IDP Connection Details station, where the default values for the AxAuth provider will be filled. (Discovery Document URL and Scopes) Paste the Client ID and Client Secret you copied from the AxAuth User Store OAuth Client in the respective fields. Set the status as Enabled and save.

The final step would be to connect the IDP Connection created for AxAuth to the Application instance in the User Service.

We can do that by navigating to the Application Details station of the application the IDP Connection should be connected to and then clicking on the Manage IDP Connections button on the left pane.

The Manage IDP Connections station will have any IDP Connections that are already connected to the application. Click on the + button to get the available IDP Connections list and select AxAuth from it.

After selection, the Manage IDP Connection station should look similar to the below figure.

The application is now configured to use AxAuth IDP.