Configure the Authorization Server

The web content for the authorization server is hosted in the OTK Authorization Server Website Template policy. Customize the website by changing the text, the logo, and style sheet. Do not change the variable names or remove variables. 
otk42
The web content for the authorization server is hosted in the OTK Authorization Server Website Template policy. Customize the website by changing the text, the logo, and style sheet. Do not change the variable names or remove variables. 
Alternatively, host the website on an external web server and point to the location.
Customize Graphic Elements
Graphic elements appear in the header and footer of the website page and include the corporate logo and style sheet. The default logo is "CA Technologies". 
 CAlogo.png 
To customize graphic elements of the authorization server website template:
  1. In Policy Manager, navigate to OTK/Policy Fragments/configuration/Authorization Server. 
  2. Open the 
    OTK Authorization Server Website Template
     policy and expand the assertions. You cannot edit this read-only policy directly. 
  3. Copy the 
    Set Context Variable content
     assertion. The assertion contains an HTML form.
    WebsiteTemplateContentVariable.png
  4. Navigate to OTK/Customizations/Authorization Server/
  5. Open the 
    #OTK Authorization Server Website Template
     policy and locate the following comment: "getting started: copy variable 'content'..." 
  6. Paste the Set Context Variable content assertion.
  7. Double-click the Set Context Variable content assertion to access the HTML content.
    authServHTMLcontent60.png 
  8. Expand the dialog box and edit the following HTML content by providing custom information for the following elements:
    Element
    Default
    Notes
    <title>
    ${authorization_server_name}
    The name of the web page
    <style>
    ${css}
    Provide your internal style sheet HTML, or replace the <style> element with <link> and reference one or more external style sheets.
    For example,
    <link rel="stylesheet" type="text/css" href="mystyle.css"></link>
    <img>
    ${logo}
    Provide the data URI or a link for your custom logo. For example:
    <img src="myLogo.jpg" alt="grobco" style="width:200px;height:200px;">
    <div id="dynamicContent">
    ${new.content}
    Replace with your custom website template content.
    <p class="portal-copyright">
    @ CA Technologies. All rights reserved.
    Replace the text with your copyright information.
  9. Click 
    OK 
    to save the customization changes.
  10.  
    Save and Activate
     the #policy.
Customize Text Content
Default text shown on the Authorization Server webpage is associated with the following three tasks:   
  • Login
  • Consent
  • Reset
The text for these tasks is expressed in a new.content variable and is associated with a corresponding ${task} variable.  For example, the variable ${task} equal to login is followed by the new.content Context Variable containing the "Please login" string.  loginTasknewContent.png 
To customize the text: 
  1. In Policy Manager, navigate to OTK/Policy Fragments/configuration/Authorization Server. 
  2. Open the 
    OTK Authorization Server Website Template
     policy.
  3. Within the policy, find the folder that contains the three assertions that set the 
    new.content
     variable. 
  4. Select the folder and copy it.
    AuthServercontentCustom.png 
  5. Open the 
    #OTK Authorization Server Website Template
     policy located in OTK/Customizations/Authorization Server.
  6. Paste the folder containing the assertions directly following:
    Comment === Add any new Context Variables or extensions below ===
    The code must appear before the logic that sets the website template formatting. 
  7. Double-click the assertions and modify content for any of the ${new.content}.
  8.  
    Save and Activate
    .
Default Content
Task
Default Content 
login
<p>Please login:</p>
<form action="${location_login_server}" method="POST" class="form-body form-login" style="margin: 0;">
<input type="hidden" name="sessionID" value="${sessionID}"/>
<input type="hidden" name="sessionData" value="${sessionDataJWT}"/>
<div class="control-group">
<label>Username *</label>
<input type="text" name="username" class="input-block">
</div>
<div class="control-group">
<label>Password *</label>
<input type="password" name="password" class="input-block">
</div>
<div class="row-fluid">
<div class="span12">
<button type="submit" class="btn btn-primary pull-right" name="action" value="login" style="margin-left: 2em;">Login</button>
<button type="submit" class="btn btn-primary pull-right" name="action" value="cancel" style="margin-left: 2em;">Cancel</button>
</div>
</div>
</form>
<div style="clear: both; padding-top: 1em;">
<!--social_login-->
</div>
consent
<p>Welcome <b>${resource_owner}</b> (not ${resource_owner}? <a href="${location_login_server}?action=reset">Click here</a>)</p>
<p>
A client with the following properties is seeking access to resources:
</p>
<table>
<tr><td><b>Client Name:</b></td><td>${client_name}</td></tr>
<tr><td><b>SCOPE (permissions):</b></td><td>${scope}</td></tr>
</table>
<p>Please grant or deny the request</p>
<form action="${location_consent_server}" method="POST">
<input type="hidden" name="sessionID" value="${sessionID}"/>
<input type="hidden" name="sessionData" value="${sessionDataJWT}"/>
<table>
<tr>
<td><button type="submit" class="btn btn-primary pull-right" name="action" value="Deny" style="margin-left: 2em;">Deny</button></td>
<td><button type="submit" class="btn btn-primary pull-right" name="action" value="Grant" style="margin-left: 2em;">Grant</button></td>
</tr>
</table>
</form>
wrong user
<p>Please go back to the client and request access to resources again</p>
Customize the Error Message
The error message is set as HTML code in the error.msg Context Variable in the OTK Authorization Server Website Template policy.
To customize the error message: 
  1. In Policy Manager, navigate to OTK/Policy Fragments/configuration/Authorization Server. 
  2. Open the 
    OTK Authorization Server Website Template
     policy. 
  3. Locate and copy the Set Context Variable error.msg assertion that has default HTML content assigned.
    errorMsgHTML.png
     
  4. Open the 
    #OTK Authorization Website Template
     policy located in OTK/Customizations/Authorization Server.  
  5. Find the comment: ===getting started: copy 'error.msg"... 
  6. Paste the Set Context Variable error.msg assertion. 
  7. Double-click the assertion and provide your custom error message in HTML format.
  8. Click 
    OK
    .
  9.  
    Save and Activate
Host Pages on External Servers
By default, the Authorization server is hosted on the Gateway server (localhost). Optionally, you can use an external website to host the login and consent pages. Different servers can be used for login and consent. Integrate with an existing login page, or create a new login page.
Any external authorization server must be able to perform the following tasks:
  • Validate and create signed & encrypted JWT using a shared secret.
  • Authenticate the user.
  • Redirect to 
    /auth/oauth/v2/authorize/consent
     and include all required parameters.
To host the website on an external web server:
  1. In Policy Manager, navigate to OTK/Policy Fragments/configuration/Authorization Server.
  2. Open the 
    OTK Authorization Server Configuration
     policy to access context variables shown in the following table.
    Context Variable
    Default Value
    Notes
    host_login_server
    https://${gateway.cluster.hostname}:8443
    The hostname of the login server
    host_consent_server
    https://${gateway.cluster.hostname}:8443
    The hostname of the consent server
    path_login_server
    /auth/oauth/v2/authorize/login
    The path to the endpoint receiving the login request
    path_consent_server
    /auth/oauth/v2/authorize/consent
    The path to the endpoint receiving the consent request
  3. Copy the Set Context Variable assertions for any Context Variable you want to modify. 
  4. Open the 
    #OTK Authorization Server Configuration
     policy.
  5. Paste the Set Context Variable assertions and provide custom values for hostname and path information.
For more information about integrating with an external server, see the following blog post:
Secure Client/Server Communication
Prior to OTK versions 4.2, custom configuration settings for Authorization server communication were made in the  
OTK Authorization Server Configuration
 encapsulation assertion. This customization no longer takes effect. Copy any previous customization made in 
OTK Authorization Server Configuration
 into the 
OTK Security Header Extension
 policy.
The 
OTK Security Header Extension
 policy contains optional security settings that ensure HTTPS communication and prevent clickJacking attacks.  By default, these security settings are turned off. The assertions are disabled.
 otkSecHeadX.png 
To enable and customize client/server communication settings:
  1. Navigate to OTK/Customizations
  2. Open the 
    OTK Security Header Extension
     policy.
  3. Enable any of the disabled assertions. The default settings when these assertions are enabled are described below.  
  4. Optionally customize the Context Variables and click 
    OK
  5.  
    Save and Activate
    .
Security
HTTP Header Default Value
Notes
Enforcement of HTTPS 
 
Strict-Transport-Security
: max-age=31536000; includeSubDomains
(replace existing)
Responses include the "Strict-Transport-Security" header (HSTS) that restricts browser communication to HTTPS only. For more details on HSTS, see RFC6797.
The
 max-age
 parameter is the time in seconds after the initial reception that the HTTPS policy is enforced for the host. If the host attempts an HTTP communication within this time, it is rejected. Default value is one year.The 
includeSubDomains 
parameter
 
adds subdomains of the host to the HTTPS restriction policy.
Enforcement of no frame overlap
 
X-Frame-Options
:Deny (replace existing)
Protects browsers from clickJacking attacks by preventing overlapping of multiple frames.
Options include:
 
Deny
 – The page cannot be displayed in a frame.
 
Sameorigin
 – The page can only be displayed in a frame on the same origin as the page itself.