Configure Domino Rest API IdP
Caution
The Domino server task communicates with the REST API through the KeepManagementURL
. It has a default value of http://localhost:8889
. You can overwrite this setting in the notes.ini
by editing, or creating if missing, the entry KeepManagementURL
(case sensitive). Having configured a TLS certificate, you need to make sure the entry starts with https://
and uses the host name your TLS certificate has been issued for. localhost
, 127.0.0.1
or ::1
won't work. Configuring TLS doesn't change the port. So when you host, your TLS certificate is issued for, is domino.demo.com
and your old entry was missing or is the default of http://localhost:8880
, then your new value needs to be: https://domino.demo.com:8889
. For more information, see Domino REST API task and ports.
About this task
Domino REST API implements an OAuth2 provider. The following is a guide for setting up and configuring Domino REST API's OAuth2 provider.
Before you begin
The oauth.nsf
database exists in your Domino data directory. The Domino IdP uses the oauth.nsf
to store content and refresh information.
Note
-
If you are using Domino+Domino REST API docker image, the
oauth.nsf
should already be in the image but may not be fully configured. -
If for some reason you need to create the
oauth.nsf
, see Set up oauth.nsf, and save it in your Domino data directory.
Procedure
-
Configure Domino REST API to access the
oauth.nsf
.- Create an
oauth.json
file using a text editor. -
Copy the following JSON object to the JSON file.
{ "oauth": { "active": true, "database": "oauth.nsf", "url": "https://sample.keep.io:8880", "authCodeExpiresIn": 120, "accessTokenExpiresIn": 3600, "refreshTokenExpiresIn": 525600 } }
For more information, see the following table:
Property Description active
Required
Has a boolean value indicating if the provided token is now active. If the token is issued by this authorization server, it isn't revoked by the user, and is not yet expired, the value should betrue
.database
The nsf
file where the authorization details are stored.url
Server URL authCodeExpiresIn
The code expiration time in seconds accessTokenExpiresIn
The access token expiration time in seconds refreshTokenExpiresIn
The refresh token expiration time in seconds -
Change the value of the
url
parameter to match your Domino REST API host.Note
The indicated
url
value in the JSON object above is just an example value. -
(Optional) Adjust the expiration time values as needed.
-
Save the JSON file in the
keepconfig.d
directory located in your Domino data directory.Note
You need to create the
keepconfig.d
directory if not yet existing. -
Restart Domino REST API.
- Create an
-
Add the
OAuthAdmin
role for the ACL entry.Be sure to thoroughly examine the ACL:
- By default, the configured access level is
Author
with the capability to create information but unable to remove it. - All servers involved must have at least an
Editor
access level and theOAuthAdmin
role assigned. If you DON'T have this role, you'll only see your documents or records. -
Administrators requiring troubleshooting capabilities should have
Editor
access level and theOAuthAdmin
role assigned. - Ensure the database is copied to all servers involved.
- By default, the configured access level is