Creating an OAuth service provider
Before you begin
About this task
Procedure
- Create OAuth provider. To create an OAuth provider, you must have an OAuth provider configuration file. This provider configuration file must exist before you can create an OAuth provider. You can use the OAuthConfigSample.xml sample provider configuration file under the app_server_root/properties directory as a template for creating the provider configuration file for your OAuth scenarios.
Before creating the OAuth provider, ensure that the value of the
filter
parameter in the provider configuration file matches the URL of the protected resource.You can create the OAuth provider by using either the wsadmin command utility or the administrative console.
- Create the OAuth provider by using the wsadmin utility.
- Start the WebSphere Application Server.
- Start the
wsadmin
command-line utility from the app_server_root/bin directory by entering the command:wsadmin -lang jython
. - At the wsadmin prompt, enter the following command:
AdminTask.createOAuthProvider('[-providerName <OAuthProviderName> -fileName <ProviderConfigFile>]')
whereOAuthProviderName
is the OAuth provider name, andProviderConfigFile
is the full path name of the OAuth provider configuration file.For example:AdminTask.createOAuthProvider('[-providerName OAuthConfigSample -fileName c:/temp/OAuthConfigSample.xml]')
Note: The previous command copies the provider configuration file to the <was_profile_root>/config/cells/<cell_name>/oauth20 directory. - Save the configuration by entering the following command:
AdminConfig.save()
. - Exit the
wsadmin
command utility by entering the following command:quit
. - Restart the WebSphere Application Server.
- Create the OAuth provider by using the administrative console.
- Copy the provider configuration file to the <was_profile_home>/config/cells/<cell_name>/oauth20 directory.
- Log on to the WebSphere Application Server administrative console.
- Click Security > Global security.
- Expand Web and SIP security.
- Click Trust association.
- Click Interceptors.
- Click com.ibm.ws.security.oauth20.tai.OAuthTAI.
- Under Custom properties, add the following properties:
Name:
provider_1.name
Value:
<OauthProviderName>
Avoid trouble: The provider name must be the same as the provider configuration file name, without the file extension. For example, if the provider configuration file is OauthConfigSample.xml, you must specifyOauthConfigSample
as the provider name.Name:
provider_1.filter
Value:
<filter_condition>
The value of the filter property specifies the filter condition for the protected resource, as shown in the following examples.
request-url%=snoop
applicationNames==DefaultApplication
For information about defining theprovider_<id>.filter
property, see the SAML TAI filter property section in the documentation about SAML single sign-on (SSO) TAI custom properties. - Click OK.
- Restart the WebSphere Application Server.
- Register OAuth clients. Before OAuth clients can access any resources protected by the OAuth trust association interceptor (TAI), the clients must be registered with the OAuth service provider. You can register clients by using one of the following two methods.
- Registering clients by using an XML file.
You can use an XML file for storing the registered clients. The OauthConfigSample.xml template provider configuration file provides a
com.ibm.ws.security.oauth20.plugins.BaseClientProvider
class that stores the registered clients in the base.clients.xml file. The base.clients.xml file must exist in the same directory as the provider configuration file under <was_profile_root>/config/cells/<cell_name>/oauth20.If you want to use the
BaseClientProvider
class for registering clients by using an XML file, you must add one or more OAuth clients to the base.clients.xml file. You can use thebase.clients.xml
file under the <app_server_root>/properties directory as a template for adding registered clients.
- Registering clients by using a JDBC database store.
You can also use a JDBC database for registering OAuth clients. The OauthConfigSample.xml template provider configuration file contains example parameters for configuring a JDBC database store for registering OAuth clients. The details of configuring a JDBC database store for registered clients are beyond the scope of this topic.
- Registering clients by using an XML file.
Results
What to do next
- OAuth TAI custom properties
- OAuth command group for the AdminTask object