Configure an authenticated token endpoint with WebSEAL as the point of contact (OAuth)

Configure an authenticated token endpoint with WebSEAL as the point of contact to delegate authentication of the client to WebSEAL. Note that basic authentication can be completed without configuration of WebSEAL as the point of contact. When we want WebSEAL to do client authentication, we must attach an authenticated ACL on the token endpoint. We can use the isam_mobile_anyauth ACL that we can create by using the oauth_config REST API. See Configure a reverse proxy for OAuth and an OIDC Connect provider. We must also know how to enable Basic Authentication and Certificate Authentication. For more information, see Basic authentication and Client-side certificate authentication.

Use separate WebSEAL instances for the token and authorization endpoints to enforce authentication at WebSEAL for the token endpoint. Clients can authenticate with authentication mechanisms, such as Basic Authentication and Client Certificates. At the same time, users can authenticate by using forms authentication at the authorize and clients manager endpoints.

Steps

  1. Log in to the pdadmin utility with the sec_master account.

  2. Attach the isam_mobile_anyauth ACL to the token endpoint...

      /WebSEAL/<WebSEAL_instance_name>/mga/sps/oauth/oauth20/token

    For example...

      acl attach /WebSEAL/server-default/mga/sps/oauth/oauth20/token isam_mobile_anyauth

  3. Enable Basic Authentication, Certificate Authentication, or both.

  4. Ensure the point of contact contains the client ID and client secret within its user registry by running the following command:

  5. Verify the configuration:

    1. Ensure the token endpoint is protected. For example, run the following command and verify that you get a login form:

        curl -kv https://server:445/mga/sps/oauth/oauth20/token

    2. If we enabled Basic Authentication or Certificate authentication, ensure that we can authenticate to the point of contact with the Basic Authentication header or Client Certificate. For example, run the following commands and ensure that we can reach the token endpoint:

        Basic Authentication

          curl -kv https://server:445/mga/sps/oauth/oauth20/token --basic -u jHTzyil9lQAcFsJu9Dw3:CDrQlexadocQ6FwTzEUG

        Certificate Authentication

          curl -kv https://server:445/mga/sps/oauth/oauth20/token --cert /pathcert.pem

Parent topic: OAuth 2.0 and OIDC workflows