Configuring Blitz Keeper#

Blitz Keeper is configured by editing the configuration file blitz-keeper.conf located in the /etc/blitz-keeper directory. Example of the configuration file:

{
  "authenticators": {
    "prod-auth": {
      "type": "token-exchange",
      "te": "https://blitz-host/blitz/oauth/te",
    },
  },
  "services" : {
    "api-1":{
      "display-name" : "secured services",
      "host": "service-host.com",
      "locations": {
        "/api/service1/**": {
          "methods" : ["GET","POST"],
          "authenticator": "prod-auth",
          "required-scopes": ["scope1","scope2"]
        },
        "/path/api/user/*/getdata/**": {
          "methods" : ["GET","PUT"],
          "authenticator": "prod-auth",
          "required-scopes": ["scope3"]
        }
      }
    }
  }
}

In the authenticators block it is necessary to register all used blitz-idp authorization services. Usually it is sufficient to use one single authorization service to protect the services, and then only one block needs to be filled in as in the example (in the example one authorization service named prod-auth is registered). If several separate Blitz Identity Provider installations are used in the system (for example, PROD and TEST environment or internal loop for employees and external loop for clients), then you can use a common security gateway that will interact with several different authorization services - then you need to specify the settings of several authorization services in the authenticators block. For each authorization service a name is set (in the example prod-auth is used, but you can set any name). In the settings block of the authorization service the type of interaction (type) is set in the value token-exchange (so far it is the only supported type of interaction) and the address (te) of the call of the Token Endpoint handler of the authorization service. If blitz-keeper is deployed on separate servers, it is recommended to specify the address of the handler with https and domain name. If the blitz-keeper application is deployed on the same server as the blitz-idp authorization service, it is recommended to specify a local name in te, e.g. http://localhost:9000/blitz/oauth/te.

In the services block you must register the protected services. You can create a common settings block or several separate blocks for all protected services. Each block has a name (in the example, api-1). The settings are defined inside the block:

  • display-name - text description of the service (any comment or description);

  • host - server address of the secured service;

  • locations - allowed paths and operations of service invoke.

The locations block specifies the settings of all service paths and allowed methods. The service address is specified as the name of each nested block. It is acceptable to use an asterisk (*) in the address to indicate the omission of a separate component in the service path address and it is acceptable to use a double asterisk (**) to indicate that the rest of the service path can be any component. Within the service address nested block, you can optionally list the allowed methods of the service (methods setting), specify the name of the authorization service to be used (authenticator setting) and a list of permissions (required-scopes setting) for the target access token to be included in the access token passed to the protected service.

After changing the settings in blitz-keeper.conf, the security gateway must be restarted.