Skip to content

Deployment: OAuth2 Protocol

BlockApps STRATO integrates with enterprise user authorization framework, e.g., OAuth2, to allow user access and achieve single sign-on for blockchain applications. In order to enable OAuth on a Node, additional configuration options must be passed to the node when STRATO is setup. This section provides the overview on how to enable the OAuth solution on the node during STRATO setup. For more information on why OAuth2 is needed and how OAuth works, you can see the [OAuth] topic under the [Quickstart] section of this documentation.


For STRATO versions 4.4 and forward, the following variables will need to be either added to the script you use to start up and run STRATO or they will need to be passed as command line arguments before ./strato.

The arguments are as follows:

OAUTH_DISCOVERY_URL=<your keycloak or other credential provider link>
As shown in the example above, you need to add a port number when using an OAuth integration. For OAuth, we currently recommend the use of port 8080. Corresponding with the addition of a port, we will need to add the port number at the end of ourNODE_HOST variable. In addition, OAUTH_ENABLED=true enables the token validation.

When running an application with OAuth enabled, you will also need to have authorization tokens saved an in enviroment file or read into a script and passed to your application. More detail about that can be found in the QuickStart - Oauth section.

For STRATO version 4.5 and further, a private key encryption variable is needed.

If you are manually starting or restarting a STRATO node with OAuth, you will need to provide a key encryption password. This password is used to encrypt STRATO users' private keys.

If you need to start a new STRATO node programmatically, calling strato-getting-started from a script, you pass the environment variable PASSWORD into the strato-getting-started script. If starting STRATO without using strato-getting-started, the following command must be executed before the node will allow transactions to be signed by OAuth accounts:

docker exec -it strato_bloc_1 curl -X POST http://vault-wrapper:8000/strato/v2.3/password -H "Content-Type: application/json" -d '"<your_chosen_password>"'