OAuth
OAuth is an open standard for delegated authorization. With the OAuth authorization framework, a user can grant a third-party application access to their information stored with another HTTP service without sharing their access permissions or the full extent of their data.
In OAuth, the client, or third-party application, requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. Instead of using the credentials of the resource owner to access protected resources, the client obtains an access token, which is a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.
OAuth 2.0 is not compatible with OAuth 1.0. OAuth 2.0 provides ease of use for client application developers, and authorization flows for different types of client applications.
WebSphere Application Server supports OAuth 2.0, and can be used as an OAuth service provider endpoint and an OAuth protected resource enforcement endpoint.
WebSphere Application Server supports the following OAuth standard specifications:
- The OAuth 2.0 Authorization Framework
- The OAuth 2.0 Authorization Framework: Bearer Token Usage
The following list shows a summary of features within WebSphere Application Server OAuth 2.0 services.
- WebSphere Application Server acts as an OAuth Service Provider (SP) to handle OAuth 2.0 protocol requests.
- WebSphere Application Server acts as protected resource enforcement endpoint to authorize or deny requests for deployed web resources.
- Allow multiple service providers to co-exist.
- Allow administrator to revoke access tokens.
- Allow client to revoke its authorization given by a user.
- Optionally provide a Subject for a resource application to make an authenticated downstream call or perform programmatic J2EE security.
- Support 4 typical OAuth 2.0 flows as defined in the protocol.
- Support persistent OAuth services.
Subtopics
- OAuth 2.0 services
WebSphere Application Server OAuth services include both the OAuth authorization service and the web resource authorization decision service.
- OAuth 2.0 service invocation
A registered OAuth client can invoke the WebSphere Application Server OAuth service authorization endpoint to request an access token. A registered OAuth client can also invoke the WebSphere Application Server OAuth service token endpoint to request an access token. The client then can use the access token to request protected web resources from WebSphere Application Server.
- Customize an OAuth provider
The WebSphere Application Server OAuth service provider has plug-in points for customization. We can replace the default form login page for user authentication, or develop our own user consent form to collect client authorization data. WebSphere Application Server OAuth providers also allow customized post processing for major events in OAuth token issuing using mediators.
- Persistent OAuth service configuration
WebSphere Application Server supports a persistent OAuth 2.0 service by persisting OAuth tokens and clients in a database. With persistent OAuth 2.0 services, an authorized client can access OAuth 2.0 service after OAuth services are restarted.
Parent topic: Authorizing access to resourcesTasks:
Configure a custom form login page
Configure a custom form login page for OAuth
Configure an OpenID Connect Provider
Configure an OpenID Connect Client
Invoking the Authorization Endpoint for OpenID Connect
Invoking the Token Endpoint for OpenID Connect
Invoking the Introspection Endpoint for OpenID Connect
Configure an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens
Invoking the UserInfo Endpoint for OpenID Connect