For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

OAuth resource protection

Learn how to configure and customize OAuth protection for your resources.

Protected resources

In the OAuth model, a protected resource is a resource that requires an access token. We can use the MobileFirst security framework to protect both resources hosted on an instance of MobileFirst Server, and resources on an external server. You protect a resource by assigning it a scope that defines the required permissions for acquiring an access token for the resource. See Overview of the MobileFirst security framework. Mobile-application access to protected resources is restricted also by the mandatory application scope.
MobileFirst adapter resources are protected by default, meaning that an access token is required to access such resources even when no scope is explicitly assigned to the resource. We can disable the default resource protection.
The resource scope can contain custom scope elements that are mapped to security checks at the application level.

Note: An empty scope is also a valid scope, and requires an access token.

Unprotected resources

An unprotected resource is a resource that does not require an access token. The MobileFirst security framework does not manage access to unprotected resources, and does not validate or check the identity of clients that access these resources. Therefore, features such as Direct Update, blocking device access, or remotely disabling an application, are not supported for unprotected resources. See Update Cordova client apps directly and Mobile-application management.

Configure resource protection

• To configure protection of adapter resources hosted on MobileFirst Server, see Configure adapter resource protection.
  • Java™ API for RESTful Web Services (JAX-RS) adapter resources
  • JavaScript adapter resources

• To configure protection of resources hosted on an external server (external resources), see Protect resources on external servers.
  • Protect resources on any Java server. See MobileFirst Java Token Validator.
  • Protect resources on WebSphere® Application Server Java servers (Full or Liberty profile). See MobileFirst OAuth Trust Association Interceptor (TAI) for protecting resources on WebSphere Java servers.
  • Protect resources on Node.js servers. See MobileFirst Node.js resource protection.

• To define a mandatory application scope, which is applied to any request by the application to access a protected resource, see Configure a mandatory application scope.
• To map custom scope elements to security checks, see Mapping scope elements.

• Configure adapter resource protection
  Learn how to configure MobileFirst OAuth protection for our adapter resources.
• External resources protection
  Learn how to use the MobileFirst security framework to protect resources that are stored on external servers (external resources).
• Configure a mandatory application scope
  Configure a mandatory application scope to define application-specific authorization logic.
• Mapping scope elements
  Map custom scope elements to security checks to define application-specific security logic.

Parent topic: MobileFirst security framework