Remove reverse proxy configuration for OAuth and OIDC provider

We must manually remove the configuration of OAuth and OIDC provider from a reverse proxy instance.

We can accomplish the manual steps using the pdadmin command and by editing the WebSEAL configuration file.

We can use the appliance Local Management Interface (LMI) to edit the WebSEAL configuration file. On the Reverse Proxy management page, select the appropriate WebSEAL instance and click Manage > Configuration > Edit Configuration File to open the Advanced Configuration File Editor. We can use this editor to directly edit the WebSEAL configuration file.

For information on pdadmin, see pdadmin commands.

Steps

  1. Remove the following ACLS:

    • isam_oauth_anyauth
    • isam_oauth_unauth
    • isam_oauth_nobody
    • isam_oauth_rest

    We can use the pdadmin command to remove ACLs. See acl detach and acl delete.

  2. If your deployment has no further need for the junction, delete it. Ensure the junction is not used for any function other than configuration of OAuth and OIDC provider. If we are not certain about Whether junction is used for other configurations, we can skip this step.

    The junction name is the value you specified when we created the junction. The default junction name is /mga.

    We can use the pdadmin command to delete junctions. See server task delete.

  3. If OAuth was configured for API protection, disable oauth-auth in the [oauth] stanza.

    To disable the property, edit the WebSEAL configuration file. See oauth-auth and [oauth] stanza.

  4. If OAuth was configured for Browser flows:

    1. Remove the trigger URI /<jct>/sps/oauth/oauth20/session In the URI, /<jct> refers to the WebSEAL junction that we configured. You assigned it a unique name or accepted the default name of /mga.

    2. If no other Verify Access services are configured, remove the following trigger URIs:

      • /<jct>/sps/auth*
      • /<jct>/sps/authservice/authentication

    3. If all triggers are removed, disable eai-auth in the [eai] stanza.

    To remove trigger URLs, edit the WebSEAL configuration file. See [eai-triggers-url] stanza and [eai] stanza.

  5. If OAuth was configured for API protection but OAuth was not configured for browser flows, re-enable forms-auth in the [forms] stanza.

    To modify the property, edit the WebSEAL configuration file. See [forms] stanza and forms-auth.

Parent topic: Reverse proxy configuration for OAuth and OIDC provider