WAS v8.5 > Secure applications > Authorizing access to resources > OAuth > Customize an OAuth provider

Custom consent form template

The OAuth authorization server provides a template to acquire user consent information about which OAuth clients are authorized to access the protected resource in given scopes. The authorization request from the OAuth client shows a list of requested scopes in the template.

WebSphere Application Server allows the consent form template to be either a static HTML page or a dynamic web page. In both cases, the template must be provided as an unprotected web resource. The form retriever in WAS integration does not perform any authentication when accessing this template URL.

The WAS OAuth provider includes a simple sample consent form, and allows customization using oauthFormData variable.

To customize the consent form, edit the oauthFormData variable using Javascript. The following variables are included in the form data:

The developer of a form template is responsible for rendering the template with what is in the oauthFormData variable with Javascript. The developer must interpret the scope value to be a meaningful value to a user. When a user authorizes the request, the developer can call the submitForm(oauthFormData) method to perform the authorization The submitForm method is provided by default. However, if developers are familiar with OAuth2 protocol, they can implement their own function to submit the OAuth authorization request.

If globalization is wanted, we can use a dynamic page that returns globalized content according to the Accept-Language header in the request. When retrieving the template, the Accept-Language header is forwarded as well, and the template developer must decide which content to return regarding the preferred language.

The clientDisplayName variable is not escaped in HTML. The template developer must sanitize the value, as the value is input by a user during client registration.

To use a custom consent form template page for a specific OAuth20 service provider, update the service provider configuration file. In the provider configuration, update the oauth20.authorization.form.template parameter and add the template URL as the value. The following example shows a sample template entry in the provider configuration:

The following example illustrates a sample consent form: 

<parameter name="oauth20.authorization.loginURL" type="cc" customizable="true">   <value>https://acme.com:9043/oath20/login.jsp</value> </parameter> 
function escapeHTML(str) {
    var ele = document.createElement("div");
    ele.innerText = ele.textContent = str;
    return ele.innerHTML;}
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>OAuth authorization form</title> <script language="javascript"> function init() {
 var scope = oauthFormData.scope;
 var scopeEle = document.getElementById("oauth_scope");
 var ul = document.createElement("ul");
 if(scope) {
  for(var i=0; i< scope.length; i++) {
   var n = document.createElement("li");
   n.innerHTML = scope[i];
   ul.appendChild(n);
  }
 }
 scopeEle.appendChild(ul);
 // set client name  var clientEle = document.getElementById("client_name");
 clientEle.innerHTML = escapeHTML(oauthFormData.clientDisplayName);}

function escapeHTML(str) {
    var ele = document.createElement("div");
    ele.innerText = ele.textContent = str;
    return ele.innerHTML;}
</script> </head> <body onload="init()">   <div>Do to allow client 
    <span id=client_name style="font-weight:bold">xxxxxxx</span> to access your data?</div>   <div></div>   <div>     <input type="button" value="Yes" onclick="javascript:submitForm(oauthFormData);"/>     <input type="button" value="No, Thanks"/>   </div> </body> </html>


+

Search Tips   |   Advanced Search