Allowing external users to perform OAuth authentication

We can allow external users that do not exist in the ISAM registry to perform OAuth authentication.

OAuth authentication usually requires the identity that is represented by the OAuth token to exist in the ISAM user registry. Support for a user that does not exist in the ISAM registry requires some further configuration. The authorization server might need to update the attributes it puts in the RSTR in order to support external users.

At run time, when the appliance receives the RSTR from the authorization server, the user identity is extracted with the following order of precedence:

1. If the pac-attribute entry is present in the oauth stanza and the corresponding attribute is found in the RSTR, the PAC is used to authenticate the user. If this entry is not present, the PAC attribute is not used.

2. If the external-user-identity-attribute entry is present in the oauth stanza and the corresponding attribute is found in the RSTR, the value of this attribute is used as the username for authentication. If this entry is not present, the external user attribute is not used.

   If the external-group-attribute entry is present in the oauth stanza and the corresponding attribute is found in the RSTR, the group is added. The external group information is only used if authentication is occurring via an external user identity. If this entry is not present, the external group attribute is not used.

3. If no other authentication has already occurred, the username is used for authentication.

The authorization server must be changed to return these attribute values. If the external-user-identity-attribute entry is set to username, then external users can be enabled without any authorization server changes.

Parent topic: ws-trust authentication