Defining an OAuth service provider

The OAuth service provider is defined with a provider configuration file. You can define an OAuth service provider by editing the OAuthConfigSample.xml file.

The OAuthConfigSample.xml is in the properties directory under your WebSphere® Application Server installation. You can copy and edit this file to define an OAuth service provider.

Each parameter has either a customizable value of true, meaning that this variable is meant for modification by users or a customizable value of false, meaning that this variable is typically not updated by users. Customizable parameters are exported by using the exportOAuthProps wsadmin task and can be imported by using the importOAuthProps wsadmin task. Otherwise the customizable attribute has no effect on the parameters. The customizable parameter value can be updated as needed depending on your environment.

Avoid trouble: The parameter type of ws or cc is used internally and can be ignored when updating parameters.

Table 1. Active parameters for in-memory clients and token stores
Parameter name	Value	Description	Customizable
`oauth20.client.provider.classname`	Client provider implementation class	For the in-memory client store, use the value `com.ibm.ws.security.oauth20.plugins.BaseClientProvider`.	False
`oauth20.token.cache.classname`	Token cache implementation class	For the in-memory token store, use the value `com.ibm.ws.security.oauth20.plugins.BaseCache`.	False
`oauth20.token.cache.jndi.tokens`	Java™ Naming and Directory Interface (JNDI) name of the dynamic cache object for tokens indexed by ID	Default value is `Services/cache/OAuth20MemTokenCache`. See the dynamic caching configuration section for usage details.	False
`oauth20.token.cache.jndi.users`	JNDI name of the dynamic cache object for tokens indexed by user	Default value is `Services/cache/OAuth20MemTokenOwnerCache`. See the dynamic caching configuration section for usage details.	False

Table 2. Parameters for Java Database Connectivity (JDBC) Database Stores
Parameter name	Value	Description	Customizable
`oauth20.client.distributed.cache.seconds`	Number of seconds the client exists in the cache.	The number of seconds that a client can be in the cache after it is loaded from the database. Setting this property to zero (0) disables the cache.
`oauth20.client.provider.classname`	Client provider implementation class name	For the JDBC-based client store, use the value `com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider`. See the DB Table section for details on database configuration.	False
`oauth20.token.cache.classname`	Token cache implementation class name	For the JDBC-based token store, use the value `com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore`. See the DB Table section for details on database configuration.	False
`oauthjdbc.JDBCProvider`	JDBC provider name	Set this value to match your JDBC provider, for example `jdbc/oauthProvider`.	False
`oauthjdbc.client.table`	Table name used for the OAuth clients	Set this value to match your database table name, for example `OAuthDBSchema.OAUTH20CLIENTCONFIG`.	False
`oauthjdbc.token.table`	Table name used for the OAuth tokens	Set this value to match your database table name, for example `OAuthDBSchema.OAUTH20CACHE`.	False
`oauthjdbc.CleanupInterval`	Expired token cleanup interval in seconds	Delay time in seconds between cleanup of expired tokens in the database token table.	True
`oauthjdbc.LimitRefreshToken`	unused	unused	True
`oauthjdbc.SelectCountQueryType`	`sql1` (default) `sql2` `sql3`	If the OAuth trust association interceptor (TAI) emits a `java.sql.SQLException` error when it attempts to access the database, change the default value of `sql1` to another allowed value. For each of the following parameter values, use the corresponding SELECT COUNT SQL command. `sql1`: `SELECT COUNT() AS "TOTAL"` `sql2`: `SELECT COUNT() TOTAL` `sql3`: `SELECT COUNT(*) AS TOTAL`
`oauth20.db.token.cache.jndi.tokens`	JNDI name of the dynamic cache object for tokens	The datastore is backed by a dynamic cache of the specified name, for example `services/cache/OAuth20DBTokenCache`. See the dynamic caching configuration section for usage details.	False
`oauth20.db.token.cache.jndi.client`	JNDI name of the dynamic cache object for clients	The datastore is backed by a dynamic cache of the specified name, for example `services/cache/OAuth20DBClientCache`. See the dynamic caching configuration section for usage details.	False
`oauthjdbc.AlternateSelectCountQuery` (Deprecated)	true or false	The default is false. Set this value to true if the OAuth trust association interceptor (TAI) emits a `java.sql.SQLException` error when attempting to access the database. Setting this property to `true` is the same as setting the `oauthjdbc.SelectCountQueryType` parameter to the `sql2` value.

Table 3. OAuth Access Time Lengths. Depending on level of authorization, access time is allotted to a client.
Parameter name	Value	Description	Customizable
`oauth20.max.authorization.grant.lifetime.seconds`	Authorization grant lifetime, in seconds	Duration in seconds that an authorization grant is valid, for example 604800.	True
`oauth20.code.lifetime.seconds`	Authorization code lifetime, in seconds	Duration in seconds that the authorization code is valid during the OAuth dance, for example 60.	True
`oauth20.code.length`	integer	Length of the generated OAuth authorization codes	True
`oauth20.token.lifetime.seconds`	integer	Time in seconds that the OAuth access token is valid, a commonly customized value	True
`oauth20.access.token.length`	integer	Length of the generated OAuth access tokens	True
`oauth20.issue.refresh.token`	true or false	A value of false disables use and generation of refresh tokens in the OAuth provider	True
`oauth20.refresh.token.length`	Value can range from 50	Default value is 50.	True
`oauth20.access.tokentypehandler.classname`	Any OAuth20 Token handler can be specified.	Default value is `com.ibm.ws.security.oauth20.plugins.BaseTokenHandler`. Type is `cc`.	False
`oauth20.mediator.classnames`	Optional class name of the OAuth mediator	See the OAuth mediator section for details.	False
`oauth20.allow.public.clients`	true or false	A value of false disables access of public clients as detailed in the OAuth specification.	True
`oauth20.grant.types.allowed`	Possible values are: `authorization_code`, `password`, `refresh_tokens`, `client_credentials`, or `implicit`	List of enabled OAuth flows, as detailed in the OAuth specification.	False
`oauth20.authorization.form.template`	Optional URL to the customized authorization template	If using a customized authorization form, specify the template location.	True
`oauth20.authorization.error.template`	Optional URL to the customized authorization error page template	If using a customized authorization form error page, specify the template location.	True
`oauth20.authorization.loginURL`	Optional URL to the customized login page	If using a customized login page, specify the login URL.	True
`oauth20.audithandler.classname`	Class name of the OAuth audit handler	Optional implementation for advanced logging and auditing. Default value is `com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler`.	True
`oauth20.template.lifetime.seconds`	Template lifetime, in seconds. The default is 600.	The time that a template should remain in the template cache. `oauth20.template.lifetime.seconds` will override any setting on the existing JVM System property called `com.ibm.ws.security.oauth20.util.defaultTemplateLifetime` .
`oauth20.template.waitTime`	Template wait time, in seconds. The default is 120.	The time to wait to load a template from a remote server.
`oauth20.template.connectTime`	Template connect time, in seconds. The default is 120.	The time to wait for a server connection for loading a template.
`oauth20.template.readTime`	Template read time, in seconds. The default is 120.	The time allowed for reading a template document from a remote server to complete.
`oauth20.template.count`	Template count. The default is 3.	The number of templates to obtain simultaneously.
`oauth20.grant.type.password.skip.validation`	`true` or `false`, the default is `false`	A value of true disables the resource owner validation for the password grant type.
`xmlFileAuditHandler.filename`	File name	Name of the file that corresponds with the default audit handler.	True

Table 4. Parameters for TAI Configuration. These parameters can optionally be added as TAI Custom properties instead, which gives more flexibility. Additional custom TAI properties can be added as parameters by specifying `type="tai"`
Parameter name	Value	Description	Customizable
`Filter`	Any filter condition can be used	See TAI configuration parameters and syntax for details	True
`oauthOnly`	true or false	An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). See the TAI configuration parameters for details.	True

Table 5. Autoauthorize parameters. Optional endpoint parameter and client allowlist to skip the authorization step for privileged clients.
Parameter name	Value	Description	Customizable
`oauth20.autoauthorize.param`	Any string	To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of `true`.	False
`oauth20.autoauthorize.clients`	List of registered client IDs	Clients in this list are able to participate in autoauthorization.	True

Table 6. Optional values to replace client URI strings, for dynamic host names. Variables must use the `'${VAR_NAME}'` syntax.
Parameter name	Value	Description	Customizable
`oauth20.client.uri.substitutions`	unused	unused	False

Table 7. Optional values to configure server's default scope. Values are space delimited strings.
Parameter name	Value	Description	Customizable
`oauth20.scope.preAuthorized`	any string	A list of scopes given to all clients	True