Create an OAuth service provider

This task assumes that the OAuth 2.0 feature is enabled. Before using the WebSphere Application Server as an OAuth service provider, we need to create one or more OAuth providers. The OAuth service provider includes the authorization server and the resource server.

Steps

  1. Create an OAuth provider configuration file. Ensure the value of filterparameter in file matches the URL of the protected resource.

    • Create the OAuth provider using the wsadmin utility.

      1. Start the WebSphere Application Server.

      2. Start the wsadmin command-line utility

          wsadmin -lang jython
          cd app_server_root/bin directory

      3. At the wsadmin prompt, enter the following command:

          AdminTask.createOAuthProvider('[-providerName OAuthProviderName -fileName /path/to/ProviderConfigFile]')

        where OAuthProviderName is the OAuth provider name, and ProviderConfigFile is the full path name of the OAuth provider configuration file. For example:

          AdminTask.createOAuthProvider('[-providerName OAuthConfigSample -fileName c:/temp/OAuthConfigSample.xml]')

        The command will copy the provider configuration file to...

          profile_root/config/cells/cell/oauth20

      4. Save the configuration then exit pdadmin:

          AdminConfig.save()
          quit

      5. Restart the WebSphere Application Server.

    • Create the OAuth provider using the administrative console.

      1. Copy the provider configuration file to:

          profile_home/config/cells/cell/oauth20

      2. Log on to the WebSphere Application Server administrative console and click:

          Security > Global security > Web and SIP security > Trust association > Interceptors > com.ibm.ws.security.oauth20.tai.OAuthTAI

      3. Under Custom properties, add the following properties:

          Name Value Desc
          provider_1.name <OauthProviderName> The provider name must be the same as the provider configuration file name, without the file extension. For example, if the provider configuration file has OauthConfigSample.xml, specify OauthConfigSample as the provider name.
          provider_1.filter <filter_condition> Filter condition for the protected resource. For example:

            request-url%=snoop;applicationNames==OAuthApplication

      4. Click OK.

      5. Restart the WebSphere Application Server.

  2. Register OAuth clients.

    Before OAuth clients can access any resources protected by the OAuth trust association interceptor (TAI), the clients must be registered with the OAuth service provider. We can register clients using one of the following two methods.

    • Registering clients using an XML file.

      We can use an XML file for storing the registered clients. The OauthConfigSample.xml template provider configuration file provides a com.ibm.ws.security.oauth20.plugins.BaseClientProvider class that stores the registered clients in the base.clients.xml file. The base.clients.xml file must exist in the same directory as the provider configuration file under:

        profile_home/config/cells/cell/oauth20

      To use the BaseClientProvider class for registering clients using an XML file, add one or more OAuth clients to the base.clients.xml file. We can use the base.clients.xml file under <app_server_root>/properties as a template for adding registered clients.

  3. Registering clients using a JDBC database store.

    We can also use a JDBC database for registering OAuth clients. The OauthConfigSample.xml template provider configuration file contains example parameters for configuring a JDBC database store for registering OAuth clients. The details of configuring a JDBC database store for registered clients are beyond the scope of this topic.

Results

Your WebSphere Application Server is now configured as a service provider for OAuth 2.0. For additional configuration options for your service provider, see:

Related