(WAS v8.5.0.1)

Create an OAuth service provider

This task assumes that we have enabled the OAuth 2.0 feature.

Before we can use the WAS as an OAuth service provider, create one or more OAuth providers. The OAuth service provider includes the authorization server and the resource server.

1. Create an OAuth provider configuration file.
   app_server_root/properties/OauthConfigSample.xml

   This provider configuration file must exist before we can create an OAuth provider. For a template, use...

   Ensure that the value of the filterparameter in the provider configuration file matches the URL of the protected resource.

2. Create OAuth provider.

   We can create the OAuth provider by using either wsadmin utility or the console.

   • Create the OAuth provider using the wsadmin utility...

   • Start wsadmin...
     cd app_server_root/bin
     wsadmin -lang jython

     At the wsadmin prompt, enter the following command:

     AdminTask.createOAuthProvider('[-providerName <OAuthProviderName> -fileName <ProviderConfigFile>]')
     • AdminConfig.save()
       quit

     For example:

     AdminTask.createOAuthProvider('[-providerName OAuthConfigSample -fileName c:/temp/OAuthConfigSample.xml]')

     The command copies the provider configuration file to...

     <was_profile_root>/config/cells/<cell_name>/oauth20

     Restart the WAS.

   • Create the OAuth provider using the console.

     Copy the provider configuration file to...

     <was_profile_home>/config/cells/<cell_name>/oauth20
     1. Log on to the WAS console and click...
        Security | Global security | | Web and SIP security | Trust association | Interceptors | com.ibm.ws.security.oauth20.tai.OAuthTAI | Custom properties

     2. Add the the following properties:

        Name: provider_1.name
        Value: <OauthProviderName>

        The provider name must be the same as the provider configuration file name, without the file extension. For example, if the provider configuration file is OauthConfigSample.xml, specify OauthConfigSample as the provider name.gotcha

        Name: provider_1.filter
        Value: <filter_condition>

        The value of the filter property specifies the filter condition for the protected resource. For example:

        request-url%=snoop, applicationNames==OAuthApplication

     3. Restart WAS.

3. Register OAuth clients.

   Before OAuth clients can access any resources protected by the OAuth trust association interceptor (TAI), the clients must be registered with the OAuth service provider. We can register clients by using one of the following two methods.

   • Registering clients by using an XML file.

     We can use an XML file for storing the registered clients. The OauthConfigSample.xml template provider configuration file provides a com.ibm.ws.security.oauth20.plugins.BaseClientProvider class that stores the registered clients in the base.clients.xml file. The base.clients.xml file must exist in the same directory as the provider configuration file under <was_profile_root>/config/cells/<cell_name>/oauth20.

     To use the BaseClientProvider class for registering clients by using an XML file, add one or more OAuth clients to the base.clients.xml file. We can use the base.clients.xml file under the <app_server_root>/properties directory as a template for adding registered clients.

   • Registering clients by using a JDBC database store.

     We can also use a JDBC database for registering OAuth clients. The OauthConfigSample.xml template provider configuration file contains example parameters for configuring a JDBC database store for registering OAuth clients. The details of configuring a JDBC database store for registered clients are beyond the scope of this topic.

Results

Your WebSphere Application Server is now configured as a service provider for OAuth 2.0.

What to do next

For additional configuration options for the service provider, see the following topics:

• OAuth TAI custom properties
• OAuth (AdminTask)

Related concepts

OAuth (AdminTask)

OAuth TAI custom properties