Application customization - PaloAltoNetworks/app-f-oauth2-shared GitHub Wiki

Application customization

Using AWS API GW stage variables

Some aspects of the application can be tuned with optional AWS API GW stage variables. The following is the list of these variables, default value and description.

  • DBTABLE (mandatory) The CFT must have created a Dynamod DB table with this name as well as to provide CRUD access level to that table to the lambda function (inline policy in the IAM's role named newoa2cft-oauth2sharedlambdaRole-...).
  • SCOPE (optional / defaults to "") must be a string separated sequence of a subset of the entries in the parameter scopes in the manifest file (example: "logging-service:read event-service:read").
  • MASTERSECRET (optional) It will be used to HMAC the user passwords in the database. Do not change/provide this stage variable once the first user account has been created.
  • SMPREFIX (optionals / defaults to 'oa2s') A prefix that will be used for all generated secrets stored in AWS' Secrets Manager service
  • AUTOREFRESH (optional / defaults to 'false') Triggers the autoRefresh feature in the token manager entry point. If set to true, then any GET:/token operation performed in the last 5 minutes of the access token validity will trigger a GET:/token/refresh operation and return the refresed access token.
  • SESSTOUT (optional / defaults to 30 minutes) Application idle user session timeout.
  • SESSGUARD (optional / defaults to 5 minuts) Guard period before session's timeout point that will trigger a new session cookie.
  • COOKIENAME (optional / defaults to 'oauth2shared') Cookie name that will be used to keep session access token.

The oa2sc JS class

A browser based class (depends on JQuery) that implements the OAUTH2 Shared Component front end API is provided in the source code at /src/static/oa2sclient.ts.

That class can be used in any REACT-like framework. Once instantiated (only the base URL must be provide to the factory method) it will feature:

  • a instances property that is an array of all the instance_id's registered under the logged in user. Each entry in the array features the following properties:
    • uuid: unique identifier of this instance_id record in the Dynamo DB database
    • instanceId: the Palo Alto Networks Cloud Portal provided instance_id value
    • description: as provide from the user in the LS Alias field during the application activation in the Cloud Portal
    • activated: boolean value indicating if the OAUTH2 Code Grant flow has been completed or not.
    • region: region where to Logging Service instance has been deployed. This value is critical because the Application Framework provides unique API entry point in each region (https://api.[eu|us].paloaltonetworks.com)
    • used: boolean value that indicates this instance would refuse to be deleted because it has still valid long-term tokens attached to it.
    • apitok: an array containing all long term tokens issued for this instance. Each entry in the array contains:
      • uuid: unique identifier of this long term token record in the Dynamo DB database
      • value: the long term token itself
      • subject: a meaningful description of the reason why the long term token was issued for
      • expiration: a UNIX Time Stamp value (in seconds) with the expiration date
      • revoked: flag to indicate this token is held in the revocation list DB
      • invalid: convenience flag to indicate the expiration time is over the current moment
  • the getOa2sc static factory method that will return an instantiated object provided the base URL. The provided URL might carry a create new instance Query String that will be honored by the factory method.
  • addToken method to issue a new long term token
  • removeToken method to delete a long term token (it will be automatically revoked if still valid)
  • revokeToken method to revoke a long term token
  • removeInstance can be used to remove an instance from the database (it will fail if the instance still have long term tokens bound to it)

The minimalist application

A minimalist VUE-based application is provided as implementation example at /src/static/apppage.html depends on (/src/static/appvue.ts)

Any company willing to brand/extend the application can do so just by replacing the apppage.html file