Define an OAuth service provider

(WAS v8.5.0.1)

Define an OAuth service provider

The OAuth service provider is defined with a provider configuration file. We can define an OAuth service provider by editing the OAuthSampleConfig.xml file.
The OauthSampleConfig.xml is in the properties directory under the WAS installation. We can copy and edit this file to define an OAuth service provider.
Each parameter has either a customizable value of true, meaning that this variable is meant for modification by users or a customizable value of false, meaning that this variable is typically not updated by users. Customizable parameters are exported using the exportOAuthProps wsadmin task and can be imported using the importOAuthProps wsadmin task. Otherwise the customizable attribute has no effect on the parameters. The customizable parameter value can be updated as needed depending on the environment.
The parameter type of wsor cc is used internally and can be ignored when updating parameters.gotcha

Parameter name Value Description Customizable
oauth20.client.provider.classname Client provider implementation class For the in-memory client store, use the value com.ibm.ws.security.oauth20.plugins.BaseClientProvider. False
oauth20.token.cache.classname Token cache implementation class For the in-memory token store, use the value com.ibm.ws.security.oauth20.plugins.BaseCache. False
oauth20.token.cache.jndi.tokens JNDI name of the dynamic cache object for tokens indexed by ID Default value is Services/cache/OAuth20MemTokenCache. See the dynamic caching configuration section for usage details. False
oauth20.token.cache.jndi.users JNDI name of the dynamic cache object for tokens indexed by user Default value is Services/cache/OAuth20MemTokenOwnerCache. See the dynamic caching configuration section for usage details. False

Parameter name Value Description Customizable
oauth20.client.provider.classname Client provider implementation class name For JDBC-based client store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider. See the DB Table section for details on database configuration. False
oauth20.token.cache.classname Token cache implementation class name For the JDBC-based token store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore. See the DB Table section for details on database configuration. False
oauthjdbc.JDBCProvider JDBC provider name Set this value to match the JDBC provider, for example jdbc/oauthProvider. False
oauthjdbc.client.table Table name used for the OAuth clients Set this value to match the database table name, for example OAuthDBSchema.OAUTH20CLIENTCONFIG. False
oauthjdbc.token.table Table name used for the OAuth tokens Set this value to match the database table name, for example OAuthDBSchema.OAUTH20CACHE. False
oauthjdbc.CleanupInterval Expired token cleanup interval in seconds Delay time in seconds between cleanup of expired tokens in the database token table. True
oauthjdbc.LimitRefreshToken unused unused True
oauth20.db.token.cache.jndi.tokens JNDI name of the dynamic cache object for tokens The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBTokenCache. See the dynamic caching configuration section for usage details. False
oauth20.db.token.cache.jndi.client JNDI name of the dynamic cache object for clients The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBClientCache. See the dynamic caching configuration section for usage details. False

Parameter name Value Description Customizable
oauth20.max.authorization.grant.lifetime.seconds Authorization grant lifetime, in seconds Duration in seconds that an authorization grant is valid, for example 604800. True
oauth20.code.lifetime.seconds Authorization code lifetime, in seconds Duration in seconds that the authorization code is valid during the OAuth dance, for example 60. True
oauth20.code.length integer Length of the generated OAuth authorization codes True
oauth20.token.lifetime.seconds integer Time in seconds that the OAuth access token is valid, a commonly customized value True
oauth20.access.token.length integer Length of the generated OAuth access tokens True
oauth20.issue.refresh.token true or false A value of false disables use and generation of refresh tokens in the OAuth provider True
oauth20.refresh.token.length Value can range from 50 Default value is 50. True
oauth20.access.tokentypehandler.classname Any OAuth20 Token handler can be specified. Default value is com.ibm.ws.security.oauth20.plugins.BaseTokenHandler. Type is cc. False
oauth20.mediator.classnames Optional class name of the OAuth mediator See the OAuth mediator section for details. False
oauth20.allow.public.clients true or false A value of false disables access of public clients as detailed in the OAuth specification. True
oauth20.grant.types.allowed Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit List of enabled OAuth flows, as detailed in the OAuth specification. False
oauth20.authorization.form.template Optional URL to the customized authorization template If using a customized authorization form, specify the template location. True
oauth20.authorization.error.template Optional URL to the customized authorization error page template If using a customized authorization form error page, specify the template location. True
oauth20.authorization.loginURL Optional URL to the customized login page If using a customized login page, specify the login URL. True
oauth20.audithandler.classname Class name of the OAuth audit handler Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler. True
xmlFileAuditHandler.filename File name Name of the file that corresponds with the default audit handler. True

These parameters can optionally be added as TAI Custom properties instead, which gives more flexibility.

Parameter name Value Description Customizable
Filter Any filter condition can be used See TAI configuration parameters and syntax for details True
oauthOnly true or false An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). See the TAI configuration parameters for details. True

Optional endpoint parameter and client whitelist to skip the authorization...

Parameter name Value Description Customizable
oauth20.autoauthorize.param Any string To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true. False
oauth20.autoauthorize.clients List of registered client IDs Clients in this list are able to participate in autoauthorization. True

Parameter name Value Description Customizable
oauth20.client.uri.substitutions unused unused False

Parameter name	Value	Description	Customizable
oauth20.client.provider.classname	Client provider implementation class	For the in-memory client store, use the value com.ibm.ws.security.oauth20.plugins.BaseClientProvider.	False
oauth20.token.cache.classname	Token cache implementation class	For the in-memory token store, use the value com.ibm.ws.security.oauth20.plugins.BaseCache.	False
oauth20.token.cache.jndi.tokens	JNDI name of the dynamic cache object for tokens indexed by ID	Default value is Services/cache/OAuth20MemTokenCache. See the dynamic caching configuration section for usage details.	False
oauth20.token.cache.jndi.users	JNDI name of the dynamic cache object for tokens indexed by user	Default value is Services/cache/OAuth20MemTokenOwnerCache. See the dynamic caching configuration section for usage details.	False

Parameter name	Value	Description	Customizable
oauth20.client.provider.classname	Client provider implementation class name	For JDBC-based client store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider. See the DB Table section for details on database configuration.	False
oauth20.token.cache.classname	Token cache implementation class name	For the JDBC-based token store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore. See the DB Table section for details on database configuration.	False
oauthjdbc.JDBCProvider	JDBC provider name	Set this value to match the JDBC provider, for example jdbc/oauthProvider.	False
oauthjdbc.client.table	Table name used for the OAuth clients	Set this value to match the database table name, for example OAuthDBSchema.OAUTH20CLIENTCONFIG.	False
oauthjdbc.token.table	Table name used for the OAuth tokens	Set this value to match the database table name, for example OAuthDBSchema.OAUTH20CACHE.	False
oauthjdbc.CleanupInterval	Expired token cleanup interval in seconds	Delay time in seconds between cleanup of expired tokens in the database token table.	True
oauthjdbc.LimitRefreshToken	unused	unused	True
oauth20.db.token.cache.jndi.tokens	JNDI name of the dynamic cache object for tokens	The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBTokenCache. See the dynamic caching configuration section for usage details.	False
oauth20.db.token.cache.jndi.client	JNDI name of the dynamic cache object for clients	The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBClientCache. See the dynamic caching configuration section for usage details.	False

Parameter name	Value	Description	Customizable
oauth20.max.authorization.grant.lifetime.seconds	Authorization grant lifetime, in seconds	Duration in seconds that an authorization grant is valid, for example 604800.	True
oauth20.code.lifetime.seconds	Authorization code lifetime, in seconds	Duration in seconds that the authorization code is valid during the OAuth dance, for example 60.	True
oauth20.code.length	integer	Length of the generated OAuth authorization codes	True
oauth20.token.lifetime.seconds	integer	Time in seconds that the OAuth access token is valid, a commonly customized value	True
oauth20.access.token.length	integer	Length of the generated OAuth access tokens	True
oauth20.issue.refresh.token	true or false	A value of false disables use and generation of refresh tokens in the OAuth provider	True
oauth20.refresh.token.length	Value can range from 50	Default value is 50.	True
oauth20.access.tokentypehandler.classname	Any OAuth20 Token handler can be specified.	Default value is com.ibm.ws.security.oauth20.plugins.BaseTokenHandler. Type is cc.	False
oauth20.mediator.classnames	Optional class name of the OAuth mediator	See the OAuth mediator section for details.	False
oauth20.allow.public.clients	true or false	A value of false disables access of public clients as detailed in the OAuth specification.	True
oauth20.grant.types.allowed	Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit	List of enabled OAuth flows, as detailed in the OAuth specification.	False
oauth20.authorization.form.template	Optional URL to the customized authorization template	If using a customized authorization form, specify the template location.	True
oauth20.authorization.error.template	Optional URL to the customized authorization error page template	If using a customized authorization form error page, specify the template location.	True
oauth20.authorization.loginURL	Optional URL to the customized login page	If using a customized login page, specify the login URL.	True
oauth20.audithandler.classname	Class name of the OAuth audit handler	Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler.	True
xmlFileAuditHandler.filename	File name	Name of the file that corresponds with the default audit handler.	True

Parameter name	Value	Description	Customizable
Filter	Any filter condition can be used	See TAI configuration parameters and syntax for details	True
oauthOnly	true or false	An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). See the TAI configuration parameters for details.	True

Parameter name	Value	Description	Customizable
oauth20.autoauthorize.param	Any string	To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true.	False
oauth20.autoauthorize.clients	List of registered client IDs	Clients in this list are able to participate in autoauthorization.	True