An OAuth service provider is a named set of configuration options for OAuth. The
id or name of the provider is specified in the URL of inbound requests to the
authorization and token endpoints. The set of configuration options for that provider is used when
the request is handled. This process allows one server with one endpoint servlet to effectively
provide multiple OAuth configurations. For example, the
https://my.company.com:8021/oauth2/endpoint/photoShare/authorize URL is handled by
using the set of OAuth configuration options that are defined for the OAuth provider named
photoShare. The
https://my.company.com:8021/oauth2/endpoint/calendarAuthz/authorize URL is handled
by using the set of OAuth configuration options that are defined for the OAuth provider named
calendarAuthz.
About this task
An OAuth service provider is defined with the oauthProvider element in the
server.xml file. You can define an OAuth service provider by editing the
server.xml file or by using the WebSphere® Application Server Development Tools for Liberty. This task describes how to define a
minimal OAuth configuration.
Procedure
-
Add the
oauth-2.0 and transportSecurity-1.0 features.
OAuth is a secure protocol so SSL is required. On Liberty, you must supply a keystore password for
SSL by using the keyStore element. There is no default keystore password.
<featureManager>
<feature>oauth-2.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
- Set up the role mapping for the OAuth web application by using the
oauth-roles element. OAuth is an HTTP-based protocol and a web
application is supplied to handle the authorization and token endpoints. The web application is
built in and is started automatically when you specify the oauth-2.0 feature.
However, you must map the authenticated role to one or more users, groups, or
special subjects. Another role, clientManager, is supplied for managing client
configuration, but it is not necessary to map that role for OAuth authorization to function.
<oauth-roles>
<authenticated>
<user name="testuser"/>
</authenticated>
</oauth-roles>
- Define one or more providers with the
oauthProvider element.
The provider must have at least one client defined. You can define clients in these ways:
- Locally with the
localStore and client elements
- In a relational database with the
databaseStore element
- In a custom OAuthStore implementation with the customStore element
<oauthProvider id="SampleProvider" filter="request-url%=ssodemo">
<localStore>
<client name="client01" secret="{xor}LDo8LTor"
displayname="Test client number 1"
redirect="http://localhost:1234/oauthclient/redirect.jsp"
enabled="true" />
</localStore>
</oauthProvider>
- Define a user registry, either an LDAP registry by specifying the
ldapRegistry-3.0 feature and the ldapRegistry configuration
element, or a basic registry by specifying the basicRegistry configuration
element.
<basicRegistry id="basic" realm="BasicRealm">
<user name="testuser" password="testuserpwd" />
</basicRegistry>
- Set the
allowFailOverToBasicAuth web application security property to
true.
<webAppSecurity allowFailOverToBasicAuth="true" />
Results
You have defined a minimal OAuth configuration.
Example
The following example shows a sample server.xml file that defines a
simple OAuth provider with one client:<server>
<featureManager>
<feature>oauth-2.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<keyStore password="keyspass" />
<oauth-roles>
<authenticated>
<user name="testuser"/>
</authenticated>
</oauth-roles>
<oauthProvider id="SampleProvider" filter="request-url%=ssodemo">
<localStore>
<client name="client01" secret="{xor}LDo8LTor"
displayname="Test client number 1"
redirect="http://localhost:1234/oauthclient/redirect.jsp"
enabled="true" />
</localStore>
</oauthProvider>
<webAppSecurity allowFailOverToBasicAuth="true" />
<basicRegistry id="basic" realm="BasicRealm">
<user name="testuser" password="testuserpwd" />
</basicRegistry>
</server>