You must customize the property of the WebSphere® Trust Association Interceptor (TAI) or the Servlet Filter (SF) component as an enforcement point to your OAuth federation.
Property Name | Description | Example |
---|---|---|
FederationIdRequestParameterName | Specifies the name of the request parameter. (Optional) The value of the corresponding runtime request parameter is used as the AppliesTo address in calls to the STS. It must match the Provider ID of the federation for which the OAuth client is a member. Customization of the request parameter name can
be done through this property. You can modify the protected resource
URL to include a query string parameter with:
This property makes it possible for one enforcement point to service requests for more than one federation at a time. If this property is not supplied, the value of the DefaultFederationId property is used as the static Provider ID value in calls to the STS. |
FederationId
Example usage: sfprotected.jsp?FederationId=https://server.oauth.com/FIM/MySocialNetwork/oauth20 |
DefaultFederationId | Sets the default value of the Federation Provider ID used for communication with the STS. (Required) It
is used when:
|
https://server.oauth.com/FIM/MySocialNetwork/oauth20 |
DefaultMode | Determines how to validate a request against either OAuth 1.0 or OAuth 2.0. (Required) It is used to distinguish the different versions of an OAuth protocol. The supported token type for an OAuth 2.0 protocol is also specified in the value. It
is used when:
|
|
ModeParameterName | Specifies the name of the request parameter. (Optional) The request parameter name can be customized
to carry the mode value. You can modify the protected resource URL
to include a query string parameter with:
A single policy enforcement point (PEP) can service both
OAuth 1.0 and OAuth 2.0 federations at the same time if these conditions
occur:
If this property is not supplied, the value of the DefaultMode property is used to determine whether to validate the incoming request as OAuth 1.0 or OAuth 2.0. |
mode
Example
usage:
|
OAuthRealm | Specifies the realm in the WWW-Authenticate header that is sent back to a request that does not contain an authorized OAuth token. (Required) |
https://server.oauth.com/FIM/ |
OAuthTokenCacheSize | Specifies the maximum size of a cache. This cache is used to map OAuth 2.0 bearer tokens to results, such as token existence and expiry time, from the Security Token Services call. (Optional) |
2 |
PointOfContact | Specifies the point of contact URL for clients of the server. The IBM® HTTP Server or WebSEAL can be used in front of WebSphere, in which case the URL is going to look different from the example. (Optional) |
https://server.oauth.com/FIM/ |
STSEndpoint | Specifies the WS-Trust 1.2 endpoint of the STS. (Optional) |
https://server.oauth.com/FIM/ |
STSUsername | Specifies the basic authentication user name for communication with the STS. (Required depending on the security of the TrustClientInternalRole in the ITFIMRuntime.) |
wasadmin |
STSPassword | Specifies the basic authentication password for communication with the STS. (Required depending on the security of the TrustClientInternalRole in the ITFIMRuntime.) |
password |
STSSSLConfiguration | Specifies a WebSphere SSL configuration object that contains keys suitable for server, and client if necessary, SSL authentication of the WS-Trust URL. (Required only if HTTPS URL to STS endpoint is used.) |
mysslcfg |
URIPrefix | Specifies a string that is compared with the start of the request URI to see if the TAI or servlet filter must protect this request. To protect ALL resources, use /. (Required) |
/snoop |