OAuth 2.0 services

WebSphere Application Server OAuth services include both the OAuth authorization service and the web resource authorization decision service.

The OAuth 2.0 authorization service provides all OAuth 2.0 protocol endpoint URLs, and is responsible for client authorization and token issuing.

The web resource authorization decision service is built into the Liberty profile web authentication code. When a client accesses an OAuth protected web resource, the OAuth token is validated and mapped to a WebSphere Application Server platform security subject that the web request then runs under.

Subtopics

• Defining an OAuth service provider
  An OAuth service provider is a named set of configuration options for OAuth. The id or name of the provider is specified in the URL of inbound requests to the authorization and token endpoints. The set of configuration options for that provider is used when the request is handled. This process allows one server with one endpoint servlet to effectively provide multiple OAuth configurations. For example, the https://my.company.com:8021/oauth2/endpoint/photoShare/authorize URL is handled using the set of OAuth configuration options defined for the OAuth provider named photoShare. The https://my.company.com:8021/oauth2/endpoint/calendarAuthz/authorize URL is handled using the set of OAuth configuration options defined for the OAuth provider named calendarAuthz.

• OAuth full profile provider configuration equivalents
  The following tables map the Liberty profile server.xml file elements and attributes to the equivalent full profile provider parameters in the provider configuration file.

• Configure automatic authorization
  

• OAuth endpoint URLs
  After OAuth 2.0 is enabled, several endpoint URLs are configured on the WebSphere Application Server so that OAuth clients can communicate with the OAuth service provider before accessing OAuth protected resources.

Parent topic: OAuth