OAuth TAI custom properties

OAuth TAI custom properties

The following tables list the custom properties for the OAuth TAI. We can define these properties in the custom properties panel for the OAuth TAI using the administrative console. To assign unique property names that identify each possible OAuth provider, a provider_<id> is embedded in the property name and used to group the properties associated with each provider. The provider_<id>s are numbered sequentially for each service provider. The following table describes the OAuth TAI custom properties:

Property name Values Description
provider_<id>.name Any string value. Name of the OAuth provider. Must be the same as the name of the provider configuration file, without the .xml file extension. Required.
provider_<id>.filter No default value. Condition checked against the HTTP request to determine whether the HTTP request is selected for processing by the OAuth service provider. Required.
provider_<id>.oauthOnly true (default) or false If a client request does not contain the OAuth credentials (token), specifies whether a resource protected by OAuth TAI is allowed to be started by other authentication mechanisms like basic authentication. If false, OAuth protected resources can be started by other authentication methods when OAuth authentication fails. Optional.

OAuth TAI filter property

A set of conditions are compared against the HTTP request of the client. Based on results an OAuth provider is specified for processing the HTTP request. Conditions are evaluated from left to right. If all the filter conditions specified by an OAuth provider are met in an HTTP request, the OAuth provider is selected. Input element identifies an HTTP request header field to extract from the request, and its value is compared with the value specified in the filter property. If the header field is not present in the HTTP request, the condition is treated as not being met. Any of the standard HTTP request header fields can be used as the input element in the filter condition.
Condition are specified using three elements:

input required HTTP header name. Elements request-url and remote-address can also be used.
operator ==, !=, %=, ^=, <, and >
comparison value String. IP address ranges are also allowed.

In addition to the standard HTTP header fields, special input elements can be used: the filter property:

request-url Compared against the URL address used by the client application to make the request
request-uri Similar to request-url, but the query string contained in the request URL address is not used in the comparison
remote-address Compared against the TCP/IP address of the client application that sent the HTTP request

Filter examples
The trust association interceptor selects the OAuth provider associated with the matching filter. For example:

Match the HTTP header field From:
provider_1.filter=From==oauthuser@xyz.com

Partially match with URLs containing ivtlanding.jsp:
provider_2.filter=request-url%=ivtlanding.jsp

Match application DefaultApplication:
provider_3.filter=applicationNames==DefaultApplication

Operators used in the filter property

Operator Condition Example
== The input element must exactly match comparison value. From==jones@my.company.com
%= The input element contains a partial match with the comparison value. user-agent%=IE 6
^= The input element contains one of the comparison values. request-url^=urlApp1|urlApp2| urlApp3
!= The input element does not contain the comparison value. request-url!=SPNEGO
> The input element is greater than the comparison value. remote-address>192.168.255.130
< The input element is less than the comparison value. remote-address<192.168.255.135

Parent

Property name	Values	Description
provider_<id>.name	Any string value.	Name of the OAuth provider. Must be the same as the name of the provider configuration file, without the .xml file extension. Required.
provider_<id>.filter	No default value.	Condition checked against the HTTP request to determine whether the HTTP request is selected for processing by the OAuth service provider. Required.
provider_<id>.oauthOnly	true (default) or false	If a client request does not contain the OAuth credentials (token), specifies whether a resource protected by OAuth TAI is allowed to be started by other authentication mechanisms like basic authentication. If false, OAuth protected resources can be started by other authentication methods when OAuth authentication fails. Optional.

input required	HTTP header name. Elements request-url and remote-address can also be used.
operator	==, !=, %=, ^=, <, and >
comparison value	String. IP address ranges are also allowed.

request-url	Compared against the URL address used by the client application to make the request
request-uri	Similar to request-url, but the query string contained in the request URL address is not used in the comparison
remote-address	Compared against the TCP/IP address of the client application that sent the HTTP request

Operator	Condition	Example
==	The input element must exactly match comparison value.	From==jones@my.company.com
%=	The input element contains a partial match with the comparison value.	user-agent%=IE 6
^=	The input element contains one of the comparison values.	request-url^=urlApp1\|urlApp2\| urlApp3
!=	The input element does not contain the comparison value.	request-url!=SPNEGO
>	The input element is greater than the comparison value.	remote-address>192.168.255.130
<	The input element is less than the comparison value.	remote-address<192.168.255.135