Microsoft IIS/SharePoint Authentication API Proxy
Proxy Client Service w/ Trusted Peer Access Using OAuth2
Copyright ©
Mindbreeze GmbH, A-4020 Linz, 2020.
All rights reserved. All hardware and software names are trade names and/or trademarks of their respective owners.
These documents are confidential. The delivery and presentation of these documents alone does not justify any rights whatsoever to our software, our services and service performance results or other protected rights. The disclosure, publication or reproduction is not permitted.
For reasons of easier legibility, gender differentiation has been dispensed with. In terms of equal treatment, appropriate terms apply to both sexes.
Preparation
The following settings form Keycloak Server and Mindbreeze Client Service are needed to configure the IIS authentication proxy.
Keycloak Server Configuration
OAuth Endpoint: https://keykloakserver/auth/realms/master/protocol/openid-connect/token
Client-ID: iis-client
Client-Secret:
Username: iis-client-user
User Role: InSpire Application Impersonation
Client Service Configuration
Configure the Mindbreeze Client Service “Trusted Peer Access Using OAuth 2.0 Bearer Token” section using the settings above.
Microsoft IIS Configuration
Add the OAuthProxy handler type declaration to the configuration/system.webServer/handlers node inside web.config file of your web application.
<configuration>
<system.webServer>
<handlers>
<add name="OAuthProxy"
path="/_api_mindbreezeinspire"
verb="*"
type="Mindbreeze.ResourceProxy.OAuthProxy"
resourceType="Unspecified"
preCondition="integratedMode" />
</handlers>
</system.webServer>
</configuration>
Add ProxyConfig configuration section declaration to configuration/configSections node.
<configuration>
<configSections>
<sectionGroup name="Mindbreeze">
<section name="ProxyConfig"
type="Mindbreeze.ResourceProxy.ProxyConfig"
allowLocation="true"
allowDefinition="Everywhere" />
</sectionGroup>
</configSections>
<configuration>
Add configuration section to configuration node.
<configuration>
<Mindbreeze>
<ProxyConfig logFile="c:\temp\resource_proxy.log" logLevel="Error">
<ServerUrl url="<clienservice url>"
oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token
username="iis-client-user"
password="<password>"
clientId="iis-client"
clientSecret="<clientsecret>"
disableSSLValidation="false"
includeClaimTypesPattern=".*" />
</ProxyConfig>
</Mindbreeze>
</configuration>
Copy Mindbreeze.ResourceProxy.dll and its dependencies in bin directory of your web application and restart the web application from IIS Manager. The resource proxy will forward all HTTP requests matching <IIS web application URL>/_api_mindbreezeinspire/path/and/?query to <Client Service URL>/path/and/?query together with IIS authenticated users name and OAuth token obtained from keycloak server to Mindbreeze Client Service.
Encrypted Microsoft IIS Configuration
Before encrypting the configuration section, make sure, that the IIS anonymous machine users (IUSR and IIS_IUSRS) have write permission for key containers directory C:\ProgramData\Microsoft\Crypto\RSA\Crypto\RSA. Now run the run aspnet_regiis.exe with directory (c:\tempDir) as parameter containing the web.config file containing only the ProxyConfig node. Note that ProxyConfig should not be inside Mindbreeze node in this temporary web.config file.
<configuration>
<ProxyConfig logFile="c:\temp\resource_proxy.log" logLevel="Error">
<ServerUrl url="<clienservice url>"
oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token
username="iis-client-user"
password="<password>"
clientId="iis-client"
clientSecret="<clientsecret>"
disableSSLValidation="false"
includeClaimTypesPattern=".*" />
</ProxyConfig>
</configuration>
For example:
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe –pef "ProxyConfig" "C:\tempDir"
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Encrypting configuration section...
Succeeded!
After encrypting ProxyConfig replace it with ProxyConfig node inside Mindbreeze node of your applications web.config file.
<configuration>
<Mindbreeze>
<ProxyConfig configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>Fn6+756cE682pfJD0Eei4jSyOdoiIb1U6XYYbVYCjfw38EZwFGSDFDlbNUe0KVFUgZcGTYw/1aRZRnsR/vrJb9q0c3IRlDYWC9HRolnmBDXna5uZwBkdnD+FYQzc8xMZ9PKoaNjoU645iQNbmdS/6d/QWquQ4ijktdhJJmy0S/kOzyNFvP++DZLnRxl1ML0O7u/RZDVUQacCi623xJQhmbhdrCNnsnvOyjEGOjUS0kWlOpUXAfwJtO9GMJhAWPz9JuIxJxLC/tEtssy+Hf69DVUlyUhwKa/8cKLgwDEM3z0Udt1FaQT7n7htdzVaQbdb3nqrEyvs7ShogfSzWtAezA==</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>F0kCfWr3EwY6mO/rLUdrwzgVJcZnRLUCW7zJG9veQ/jXJm3pwLyDO1ytH6bIroF0Hk3AOezyZJphtZe6843GmXrLw4sY6ueTie0Ibx2oKcvOhXY/D+OngU9ZChqtqkUsK+5uQKjCifS5YqeXnNtftZPfwg+0pTnbMyGQAqCmDeC6i8E35UFZ3X1LScNvXlOGO/3MS89scEWCZjDAqAREa+E7Wiiu6jrQVqfDMs/t0Otm9JyTlBsM5QkgjGZrUkpVJmAGy+nG0Kai5501yNQMXpzf4gsOH0GD0EAkPHqFy09sKEwLcHuXb+UU/2EO7swY5hqD5M0ua+djAl1qz8KIzMs4t7duGBafB/Mx8XVw8Rdkmcj8zyYJb9A6JQBHcWm63XMs+hzpBwKJ10A6Oks68YPrVcyVBmbJjCNRH/gpG8NAAeftXcy1fAhiuB2FfwS7MO1id9l3OxqxrNuU7GlO1NGtj+a+jHzrL6R+5giizFN1fdeDM4raCB1bRvSXv03tqKSdLqk1Ywcs88zmcBqzO3okPr8yPCnvkmrBarwM+x6UtuTXzajWAQ2wtVfFkziTjqdSBvwm/HilLPp6ORdo8vyAOiGNCcgGtV3r8gAqMnU7xAEGv1NamQ==</CipherValue>
</CipherData>
</EncryptedData>
</ProxyConfig>
</Mindbreeze>
</configuration>
Installation on Microsoft SharePoint Server
Installing authentication proxy on SharePoint server can be performed with stsadm tool for all SharePoint web applications using a supplemental web.config file (webconfig.mindbreeze.xml) in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\CONFIG directory. The ProxyConfig node should already be encrypted to avoid doing it for each web application afterwards. From SharePoint Management shell run the following command.
stsadm -o copyappbincontent
Mindbreeze Supplemental Web.config file:
<actions>
<remove path="configuration/system.webServer/handlers/add[@name='OAuthProxy']"/>
<add path="configuration/system.webServer/handlers">
<add name="OAuthProxy"
path="/_api_mindbreezeinspire"
verb="*"
type="Mindbreeze.ResourceProxy.OAuthProxy"
resourceType="Unspecified"
preCondition="integratedMode" />
</add>
<remove path="configuration/configSections/sectionGroup[@name='Mindbreeze']" />
<add path="configuration/configSections">
<sectionGroup name="Mindbreeze">
<section name="ProxyConfig"
type="Mindbreeze.ResourceProxy.ProxyConfig"
allowLocation="true"
allowDefinition="Everywhere"/>
</sectionGroup>
</add>
<remove path="configuration/Mindbreeze"/>
<add path="configuration">
<Mindbreeze>
<ProxyConfig logFile="c:\temp\proxy.log" logLevel="Error">
<ServerUrl url="<clienservice>"
oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token
username="iis-client-user"
password="<password>"
clientId="iis-client"
clientSecret="<clientsecret>"
disableSSLValidation="false"
includeClaimTypesPattern=".*"/>
</ProxyConfig>
</Mindbreeze>
</add>
</actions>