The OAuth service provider is defined with a provider configuration file. You can define an OAuth service provider by editing the OAuthSampleConfig.xml file.
The OauthSampleConfig.xml is in the properties directory under your WebSphere® Application Server installation. You can copy and edit this file to define an OAuth service provider.
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.client.provider.classname | Client provider implementation class | For the in-memory client store, use the value com.ibm.ws.security.oauth20.plugins.BaseClientProvider. | False |
oauth20.token.cache.classname | Token cache implementation class | For the in-memory token store, use the value com.ibm.ws.security.oauth20.plugins.BaseCache. | False |
oauth20.token.cache.jndi.tokens | Java Naming and Directory Interface (JNDI) name of the dynamic cache object for tokens indexed by ID | Default value is Services/cache/OAuth20MemTokenCache. See the dynamic caching configuration section for usage details. | False |
oauth20.token.cache.jndi.users | JNDI name of the dynamic cache object for tokens indexed by user | Default value is Services/cache/OAuth20MemTokenOwnerCache. See the dynamic caching configuration section for usage details. | False |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.client.provider.classname | Client provider implementation class name | For the JDBC-based client store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBClientProvider. See the DB Table section for details on database configuration. | False |
oauth20.token.cache.classname | Token cache implementation class name | For the JDBC-based token store, use the value com.ibm.ws.security.oauth20.plugins.db.CachedDBTokenStore. See the DB Table section for details on database configuration. | False |
oauthjdbc.JDBCProvider | JDBC provider name | Set this value to match your JDBC provider, for example jdbc/oauthProvider. | False |
oauthjdbc.client.table | Table name used for the OAuth clients | Set this value to match your database table name, for example OAuthDBSchema.OAUTH20CLIENTCONFIG. | False |
oauthjdbc.token.table | Table name used for the OAuth tokens | Set this value to match your database table name, for example OAuthDBSchema.OAUTH20CACHE. | False |
oauthjdbc.CleanupInterval | Expired token cleanup interval in seconds | Delay time in seconds between cleanup of expired tokens in the database token table. | True |
oauthjdbc.LimitRefreshToken | unused | unused | True |
oauth20.db.token.cache.jndi.tokens | JNDI name of the dynamic cache object for tokens | The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBTokenCache. See the dynamic caching configuration section for usage details. | False |
oauth20.db.token.cache.jndi.client | JNDI name of the dynamic cache object for clients | The datastore is backed by a dynamic cache of the specified name, for example services/cache/OAuth20DBClientCache. See the dynamic caching configuration section for usage details. | False |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.max.authorization.grant.lifetime.seconds | Authorization grant lifetime, in seconds | Duration in seconds that an authorization grant is valid, for example 604800. | True |
oauth20.code.lifetime.seconds | Authorization code lifetime, in seconds | Duration in seconds that the authorization code is valid during the OAuth dance, for example 60. | True |
oauth20.code.length | integer | Length of the generated OAuth authorization codes | True |
oauth20.token.lifetime.seconds | integer | Time in seconds that the OAuth access token is valid, a commonly customized value | True |
oauth20.access.token.length | integer | Length of the generated OAuth access tokens | True |
oauth20.issue.refresh.token | true or false | A value of false disables use and generation of refresh tokens in the OAuth provider | True |
oauth20.refresh.token.length | Value can range from 50 | Default value is 50. | True |
oauth20.access.tokentypehandler.classname | Any OAuth20 Token handler can be specified. | Default value is com.ibm.ws.security.oauth20.plugins.BaseTokenHandler. Type is cc. | False |
oauth20.mediator.classnames | Optional class name of the OAuth mediator | See the OAuth mediator section for details. | False |
oauth20.allow.public.clients | true or false | A value of false disables access of public clients as detailed in the OAuth specification. | True |
oauth20.grant.types.allowed | Possible values are: authorization_code, password, refresh_tokens, client_credentials, or implicit | List of enabled OAuth flows, as detailed in the OAuth specification. | False |
oauth20.authorization.form.template | Optional URL to the customized authorization template | If using a customized authorization form, specify the template location. | True |
oauth20.authorization.error.template | Optional URL to the customized authorization error page template | If using a customized authorization form error page, specify the template location. | True |
oauth20.authorization.loginURL | Optional URL to the customized login page | If using a customized login page, specify the login URL. | True |
oauth20.audithandler.classname | Class name of the OAuth audit handler | Optional implementation for advanced logging and auditing. Default value is com.ibm.oauth.core.api.audit.XMLFileOAuthAuditHandler. | True |
xmlFileAuditHandler.filename | File name | Name of the file that corresponds with the default audit handler. | True |
Parameter name | Value | Description | Customizable |
---|---|---|---|
Filter | Any filter condition can be used | See TAI configuration parameters and syntax for details | True |
oauthOnly | true or false | An example TAI configuration property, used to restrict authentication to only OAuth (true) or use other enabled authentication (false). See the TAI configuration parameters for details. | True |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.autoauthorize.param | Any string | To use autoauthorization, the autoauthorize parameter must be appended to requests as a URL parameter with a value of true. | False |
oauth20.autoauthorize.clients | List of registered client IDs | Clients in this list are able to participate in autoauthorization. | True |
Parameter name | Value | Description | Customizable |
---|---|---|---|
oauth20.client.uri.substitutions | unused | unused | False |