Configure a reverse proxy for OAuth and an OIDC Connect provider

Use a wizard to perform automated configuration of a reverse proxy appliance for OAuth and an OIDC Connect provider.

The reverse proxy server to use for your OAuth or OIDC Connect provider must already be configured. See Configure an instance.

Steps

  1. From the local management interface, select Web > Manage > Reverse Proxy. A list of reverse proxy instances displays.

  2. Select the reverse proxy instance name from the list.

  3. Select Manage > OAuth and OIDC Connnect provider Configuration. A window opens where we can add the configuration information.

  4. Enter the configuration details.

    The OAuth modes section lists supported modes. We can select more than one mode.

    The modes are options that extend a basic OAuth configuration. A basic configuration sets up the junction, loads the runtime certificate, and provides access to the API Protection endpoints: /token, /userinfo, /introspect, /revoke, /metadata, and /jwks. The base configuration is sufficient if we are doing only a resource or password credentials flow. In this case, we cannot do any API enforcement, but we can get tokens issued. In this scenario, we do not need to select either of the OAuth modes.

    To use of the authorization code flow, or implicit flows, which go via a user agent, or if we want to get a user session using the /session endpoint, then we must select Configure for browser interaction. If we want this reverse proxy to protect resources with access tokens we must select Configure for API protection. The two options are not mutually exclusive; we can select both.

    Mode Description
    Configure for browser interaction When configured for browser interaction, the /authorize and /session endpoints are accessible. Also, EAI authentication is enabled for /session. This configuration option is required for the authorize or implicit code flows.
    Configure for API Protection When this option is selected, an access token can be presented to WebSEAL, and an authenticated session retrieved. The use of cookies is not required; the authorization header is used as the session index. Selecting this option configures oauth-auth and oauth-cluster in the [oauth] stanza in the WebSEAL configuration file. If we select Configure for API protection and do not select Configure for browser interaction, the configuration parameter forms-auth is disabled.

    Parameter Description
    Host name The host name or IP address of the runtime server. This field is required.
    Port The SSL port number of the runtime server. This field is required.
    User name The user name used to authenticate with the runtime server. This field is required.
    Password Password used to authenticate with the runtime server. This field is required.
    Junction The junction for the reverse proxy instance. The default is /mga.

    The Reuse Actions section indicates reuse of existing access control lists (ACLs) and certificates.

    Parameter Description
    Reuse Certificates Select to reuse the SSL certificate if it was already saved. If this check box is not selected, the certificate is overwritten.
    Reuse ACLs Select to reuse any existing ACLs with the same name. If this check box is not selected, the ACLs are replaced.

  5. Click Finish.
  6. When prompted, deploy the pending changes.
  7. Restart the reverse proxy.


What to do next

We can examine a log file to view the results of the auto-configuration. See View a reverse proxy log for an automated configuration

Parent topic: Reverse proxy configuration for OAuth and OIDC provider