Define an OAuth service provider

Define an OAuth service provider

The OAuth service provider is defined with a provider configuration file...
WAS_HOME/properties/OAuthConfigSample.xml

We can copy and edit this file to define an OAuth service provider.
Each parameter has either a customizable value of true (variable is meant for modification by users) or a customizable value of false (variable is typically not updated by users).
Customizable parameters are exported using...
wsadmin exportOAuthProps

...and can be imported using...
wsadmin importOAuthProps

The parameter type of ws or cc is used internally and can be ignored when updating parameters.

Active parameters for in-memory clients and token stores

Description Parameter name Value Customizable

Class for the in-memory client store oauth20.client.provider.classname com.ibm.ws.security.oauth20.plugins.BaseClientProvider False

Class for the in-memory token store. oauth20.token.cache.classname com.ibm.ws.security.oauth20.plugins.BaseCache False

JNDI name of the dynamic cache object for tokens indexed by ID oauth20.token.cache.jndi.tokens Services/cache/OAuth20MemTokenCache False

JNDI name of the dynamic cache object for tokens indexed by user oauth20.token.cache.jndi.users Services/cache/OAuth20MemTokenOwnerCache. False

Parameters for JDBC Database Stores

Description Parameter name Value Customizable

Number of seconds a client can be in the cache after being loaded from database. Set to zero (0) to disable the cache. oauth20.client.distributed.cache.seconds 360 True

Class for the JDBC-based client store oauth20.client.provider.classname com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider False

Class for the JDBC-based token store oauth20.token.cache.classname com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore. False

JDBC provider oauthjdbc.JDBCProvider jdbc/oauthProvider False

DB table used for the OAuth clients oauthjdbc.client.table OAuthDBSchema.OAUTH20CLIENTCONFIG. False

DB table used for the OAuth tokens oauthjdbc.token.table OAuthDBSchema.OAUTH20CACHE False

Delay time in seconds between cleanup of expired tokens in the database token table. oauthjdbc.CleanupInterval Expired token cleanup interval in seconds True

unused oauthjdbc.LimitRefreshToken unused True

JNDI name of the dynamic cache object for tokens. The datastore is backed by a dynamic cache with the specified name. oauth20.db.token.cache.jndi.tokens services/cache/OAuth20DBTokenCache False

JNDI name of the dynamic cache object for clients. The datastore is backed by a dynamic cache with the specified name. oauth20.db.token.cache.jndi.client services/cache/OAuth20DBClientCache False

If true the TAI emits a java.sql.SQLException error when attempting to access the database. Default is false. oauthjdbc.AlternateSelectCountQuery false True

OAuth Access Time Lengths

Depending on level of authorization, access time allotted to a client.

Parameter name Value Description Customizable

oauth20.max.authorization.grant.lifetime.seconds 604800 Duration in seconds that an authorization grant is valid. True

oauth20.code.lifetime.seconds 60 Duration in seconds that the authorization code is valid during the OAuth dance. True

oauth20.code.length integer Length of the generated OAuth authorization codes True

oauth20.token.lifetime.seconds integer Time in seconds that the OAuth access token is valid, a commonly customized value True

oauth20.access.token.length integer Length of the generated OAuth access tokens True

oauth20.issue.refresh.token true or false A value of false disables use and generation of refresh tokens in the OAuth provider True

oauth20.refresh.token.length Value can range from 50 Default value is 50. True

oauth20.access.tokentypehandler.classname com.ibm.ws.security.oauth20.plugins.BaseTokenHandler. Any OAuth20 Token handler can be specified. Type is cc. False

oauth20.mediator.classnames Optional class name of the OAuth mediator See the OAuth mediator section for details. False

oauth20.allow.public.clients true or false A value of false disables access of public clients as detailed in the OAuth specification. True

oauth20.grant.types.allowed Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit List of enabled OAuth flows, as detailed in the OAuth specification. False

oauth20.authorization.form.template Optional URL to the customized authorization template If using a customized authorization form, specify the template location. True

oauth20.authorization.error.template Optional URL to the customized authorization error page template If using a customized authorization form error page, specify the template location. True

oauth20.authorization.loginURL Optional URL to the customized login page If using a customized login page, specify the login URL. True

oauth20.audithandler.classname Class name of the OAuth audit handler Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler. True

oauth20.template.lifetime.seconds Template lifetime, in seconds. The default is 600. The time that a template should remain in the template cache. oauth20.template.lifetime.seconds will override any setting on the existing JVM System property called com.ibm.ws.security.oauth20.util.defaultTemplateLifetime.

oauth20.template.waitTime Template wait time, in seconds. The default is 120. The time to wait to load a template from a remote server.

oauth20.template.connectTime Template connect time, in seconds. The default is 120. The time to wait for a server connection for loading a template.

oauth20.template.readTime Template read time, in seconds. The default is 120. The time allowed for reading a template document from a remote server to complete.

oauth20.template.count Template count. The default is 3. The number of templates to obtain simultaneously.

oauth20.grant.type.password.skip.validation true or false, the default is false A value of true disables the resource owner validation for the password grant type.

xmlFileAuditHandler.filename File name Name of the file that corresponds with the default audit handler. True

Parameters for TAI Configuration
These parameters can optionally be added as TAI Custom properties instead, which gives more flexibility. Additional custom TAI properties can be added as parameters by specifying type="tai"

Parameter name Value Description Customizable

Filter Any filter condition can be used See TAI configuration parameters and syntax for details True

oauthOnly true or false An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). True

Autoauthorize parameters

Optional endpoint parameter and client allowlist to skip the authorization step for privileged clients.

Parameter name Value Description Customizable

oauth20.autoauthorize.param Any string To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true. False

oauth20.autoauthorize.clients List of registered client IDs Clients in this list are able to participate in autoauthorization. True

Optional values to replace client URI strings, for dynamic host names

Variables must use the '${VAR_NAME}' syntax.

Parameter name Value Description Customizable

oauth20.client.uri.substitutions unused unused False

Optional values to configure server's default scope
Values are space delimited strings.

Parameter name Value Description Customizable

oauth20.scope.preAuthorized any string A list of scopes given to all clients True

Description	Parameter name	Value	Customizable
Class for the in-memory client store	oauth20.client.provider.classname	com.ibm.ws.security.oauth20.plugins.BaseClientProvider	False
Class for the in-memory token store.	oauth20.token.cache.classname	com.ibm.ws.security.oauth20.plugins.BaseCache	False
JNDI name of the dynamic cache object for tokens indexed by ID	oauth20.token.cache.jndi.tokens	Services/cache/OAuth20MemTokenCache	False
JNDI name of the dynamic cache object for tokens indexed by user	oauth20.token.cache.jndi.users	Services/cache/OAuth20MemTokenOwnerCache.	False

Description	Parameter name	Value	Customizable
Number of seconds a client can be in the cache after being loaded from database. Set to zero (0) to disable the cache.	oauth20.client.distributed.cache.seconds	360	True
Class for the JDBC-based client store	oauth20.client.provider.classname	com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider	False
Class for the JDBC-based token store	oauth20.token.cache.classname	com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore.	False
JDBC provider	oauthjdbc.JDBCProvider	jdbc/oauthProvider	False
DB table used for the OAuth clients	oauthjdbc.client.table	OAuthDBSchema.OAUTH20CLIENTCONFIG.	False
DB table used for the OAuth tokens	oauthjdbc.token.table	OAuthDBSchema.OAUTH20CACHE	False
Delay time in seconds between cleanup of expired tokens in the database token table.	oauthjdbc.CleanupInterval	Expired token cleanup interval in seconds	True
unused	oauthjdbc.LimitRefreshToken	unused	True
JNDI name of the dynamic cache object for tokens. The datastore is backed by a dynamic cache with the specified name.	oauth20.db.token.cache.jndi.tokens	services/cache/OAuth20DBTokenCache	False
JNDI name of the dynamic cache object for clients. The datastore is backed by a dynamic cache with the specified name.	oauth20.db.token.cache.jndi.client	services/cache/OAuth20DBClientCache	False
If true the TAI emits a java.sql.SQLException error when attempting to access the database. Default is false.	oauthjdbc.AlternateSelectCountQuery	false	True

Parameter name	Value	Description	Customizable
oauth20.max.authorization.grant.lifetime.seconds	604800	Duration in seconds that an authorization grant is valid.	True
oauth20.code.lifetime.seconds	60	Duration in seconds that the authorization code is valid during the OAuth dance.	True
oauth20.code.length	integer	Length of the generated OAuth authorization codes	True
oauth20.token.lifetime.seconds	integer	Time in seconds that the OAuth access token is valid, a commonly customized value	True
oauth20.access.token.length	integer	Length of the generated OAuth access tokens	True
oauth20.issue.refresh.token	true or false	A value of false disables use and generation of refresh tokens in the OAuth provider	True
oauth20.refresh.token.length	Value can range from 50	Default value is 50.	True
oauth20.access.tokentypehandler.classname	com.ibm.ws.security.oauth20.plugins.BaseTokenHandler.	Any OAuth20 Token handler can be specified. Type is cc.	False
oauth20.mediator.classnames	Optional class name of the OAuth mediator	See the OAuth mediator section for details.	False
oauth20.allow.public.clients	true or false	A value of false disables access of public clients as detailed in the OAuth specification.	True
oauth20.grant.types.allowed	Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit	List of enabled OAuth flows, as detailed in the OAuth specification.	False
oauth20.authorization.form.template	Optional URL to the customized authorization template	If using a customized authorization form, specify the template location.	True
oauth20.authorization.error.template	Optional URL to the customized authorization error page template	If using a customized authorization form error page, specify the template location.	True
oauth20.authorization.loginURL	Optional URL to the customized login page	If using a customized login page, specify the login URL.	True
oauth20.audithandler.classname	Class name of the OAuth audit handler	Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler.	True
oauth20.template.lifetime.seconds	Template lifetime, in seconds. The default is 600.	The time that a template should remain in the template cache. oauth20.template.lifetime.seconds will override any setting on the existing JVM System property called com.ibm.ws.security.oauth20.util.defaultTemplateLifetime.
oauth20.template.waitTime	Template wait time, in seconds. The default is 120.	The time to wait to load a template from a remote server.
oauth20.template.connectTime	Template connect time, in seconds. The default is 120.	The time to wait for a server connection for loading a template.
oauth20.template.readTime	Template read time, in seconds. The default is 120.	The time allowed for reading a template document from a remote server to complete.
oauth20.template.count	Template count. The default is 3.	The number of templates to obtain simultaneously.
oauth20.grant.type.password.skip.validation	true or false, the default is false	A value of true disables the resource owner validation for the password grant type.
xmlFileAuditHandler.filename	File name	Name of the file that corresponds with the default audit handler.	True

Parameter name	Value	Description	Customizable
Filter	Any filter condition can be used	See TAI configuration parameters and syntax for details	True
oauthOnly	true or false	An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false).	True

Parameter name	Value	Description	Customizable
oauth20.autoauthorize.param	Any string	To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true.	False
oauth20.autoauthorize.clients	List of registered client IDs	Clients in this list are able to participate in autoauthorization.	True