The user-identity-attribute stanza entry

OAuth authentication must create a user credential. To do this, OAuth authentication must be provided with a user identity to use when creating this credential. The appliance's implementation of OAuth authentication provides the definition of the user identity through an attribute that is returned by the OAuth server.

The user-identity-attribute entry in the [oauth] stanza defines the name of the attribute that is returned by the OAuth server. This stanza entry's value is the user identity used when creating a credential for the OAuth authentication. By default, this entry has a value of username. What that tells the appliance is to take the value of the username attribute from the OAuth server response and use that as the user identity for the credential that will be created. By default, the username value in the OAuth server response is the client ID of the API protection client. That client ID must exist as an Security Verify Access user for OAuth authentication to be able to create a valid credential.

We can modify the OAuth server to provide the user identity in a different attribute, that is, something other than the username attribute. If we do that, modify the user-identity-attribute entry in the [oauth] stanza of the webseald.conf file, to provide that attribute name.

For information, see the [oauth] stanza documentation in the IBM Knowledge Center.

Parent topic: ws-trust authentication