Skip to content

OAuth2 using Json Web Tokens

In our platform we use JWT tokens mechanism by using OAuth2 protocol. Password, RefreshToken and ClientCredentials flow are supported. Tokens issued by platform are signed with the private key. For tokens validations it is possibile to use public certificate or Authority URL. Paths to certificates and Authority URL are specified in section Auth in appsetting.json file.

Example of creation self-signed certificates for signature and validation of tokens using OpenSSL

Generation of private key

openssl.exe genpkey -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -pass file:certpass.txt -des3 -out virtocommerce.key - In certpass.txt file you should specify a password for the private key (the system will not work if the key file is not protected with password)

Generation of certificate

openssl.exe req -x509 -nodes -days 3650 -key virtocommerce.key -config certconfig.txt -extensions req_ext -passin file:certpass.txt -out virtocommerce.crt

Example of certconfig.txt file

[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName =
countryName = RU
stateOrProvinceName = Kaliningrad
organizationName = Virtocommerce
[ req_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = @alt_names
[ alt_names ]
DNS.0 =

Creation of pfx container for private key and certificate

openssl.exe pkcs12 -export -out virtocommerce.pfx -inkey virtocommerce.key -in virtocommerce.crt - The system does not accept private keys smaller than 2048 Bits

OAuth2 Authorization using Client credential flow

How to add new client

In order to authorize client applications (for example, Storefront), it is possible to use the Client credential flow mechanism of OAuth2 protocol. - Go to blade OAuth applications in Security menu and create new application using Add button. This will automatically generate Client Id and Client secret, which should be saved, as system will not allow you to view already saved Client secret. Once all fields are filled in you should click Ok and a new OAuth2 client will be created.
Note: You can change Client Id and Client secret only in the process of creation of new application (you will not be able to change them in future). You can also specify Display Name for more information.

  • Then the client application will be able to authorize requests to the Api using the previously created Client Id and Client secret. For example, in Storefront, all you need to do is specify the Client Id, Client secret created earlier, and also specify the authorization server in the Endpoint section of the appsettings.json file.

Last update: June 9, 2020