WAS v8.5 > Secure applications > Authorizing access to resources > OAuth > OAuth 2.0 services

Create an OAuth service provider

This task assumes that we have enabled the OAuth 2.0 feature.

Before we can use the WebSphere Application Server as an OAuth service provider, create one or more OAuth providers. The OAuth service provider includes the authorization server and the resource server.

  1. Create OAuth provider. To create an OAuth provider, you must have an OAuth provider configuration file. This provider configuration file must exist before we can create an OAuth provider. We can use the OauthConfigSample.xml sample provider configuration file under the app_server_root/properties directory as a template for creating the provider configuration file for the OAuth scenarios.

    Before creating the OAuth provider, ensure the value of the filterparameter in the provider configuration file matches the URL of the protected resource.

    We can create the OAuth provider using either wsadmin utility or the dmgr console.

    • Create the OAuth provider using the wsadmin utility.

    1. Start the WAS.
    2. Start wsadmin-line utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
    3. At the wsadmin prompt, enter the following command: AdminTask.createOAuthProvider('[-providerName <OAuthProviderName> -fileName <ProviderConfigFile>]') where OAuthProviderName is the OAuth provider name, and ProviderConfigFile is the full path name of the OAuth provider configuration file. For example:
      AdminTask.createOAuthProvider('[-providerName OAuthConfigSample -fileName
                                    c:/temp/OAuthConfigSample.xml]')

      The previous command copies the provider configuration file to the <was_profile_root>/config/cells/cell_name/oauth20 directory.

    4. Save the configuration by entering the following command: AdminConfig.save().
    5. Exit wsadmin utility by entering the following command: quit.

    6. Restart the WAS.

    1. Copy the provider configuration file to the <was_profile_home>/config/cells/cell_name/oauth20 directory.
    2. Log on to the dmgr console.

    3. Click Security > Global security.

    4. Expand Web and SIP security.

    5. Click Trust association.

    6. Click Interceptors.

    7. Click com.ibm.ws.security.oauth20.tai.OAuthTAI.

    8. Under Custom properties, add the following properties:

      Name: provider_1.name

      Value: <OauthProviderName>

      The provider name must be the same as the provider configuration file name, without the file extension. For example, if the provider configuration file is OauthConfigSample.xml, specify OauthConfigSample as the provider name.

      Name: provider_1.filter

      Value: <filter_condition>

      The value of the filter property specifies the filter condition for the protected resource. For example:

        request-url%=snoop, applicationNames==OAuthApplication

    9. Click OK.

    10. Restart the WAS.

  2. Register OAuth clients. Before OAuth clients can access any resources protected by the OAuth trust association interceptor (TAI), the clients must be registered with the OAuth service provider. We can register clients using one of the following two methods.

    • Registering clients using an XML file.

      We can use an XML file for storing the registered clients. The OauthConfigSample.xml template provider configuration file provides a com.ibm.ws.security.oauth20.plugins.BaseClientProvider class that stores the registered clients in the base.clients.xml file. The base.clients.xml file must exist in the same directory as the provider configuration file under <was_profile_root>/config/cells/cell_name/oauth20.

      To use the BaseClientProvider class for registering clients in an XML file, add one or more OAuth clients to the base.clients.xml file. We can use the base.clients.xml file under the WAS_ROOT/properties directory as a template for adding registered clients.

    • Registering clients using a JDBC database store.

      We can also use a JDBC database for registering OAuth clients. The OauthConfigSample.xml template provider configuration file contains example parameters for configuring a JDBC database store for registering OAuth clients. The details of configuring a JDBC database store for registered clients are beyond the scope of this topic.


Results

Your WAS is now configured as a service provider for OAuth 2.0.

For additional configuration options for the service provider, see the following topics:


Related concepts:

OAuth command group for AdminTask


Reference:

OAuth TAI custom properties


+

Search Tips   |   Advanced Search