Fix Pack 8550

Persistent OAuth service configuration

WebSphere® Application Server supports a persistent OAuth 2.0 service by persisting OAuth tokens and clients in a database. With persistent OAuth 2.0 services, an authorized client can access OAuth 2.0 service after OAuth services are restarted.

To configure persistent OAuth 2.0 services, complete the following steps:
  1. Configure the OAuth 2.0 service provider.

    To use a database store, you must specify the <databaseStore> subelement of the <oauthProvider> element. The only required attribute on the <databaseStore> element is <dataSourceRef>, whose value must be the id of the <dataSource> element.

    The following example is a sample server.xml file for an OAuth provider that uses a Derby database store:
    <server>
    
      <featureManager>
        <feature>oauth-2.0</feature>
        <feature>ssl-1.0</feature>
        <feature>jdbc-4.0</feature>
        <feature>jndi-1.0</feature>
      </featureManager>
    
      <keyStore password="keyspass" />
    
      <oauth-roles>
        <authenticated>
          <user>testuser</user>
        </authenticated>
      </oauth-roles>
    
      <oauthProvider id="OAuthConfigDerby" filter="request-url%=ssodemo"
                     oauthOnly="false">
        <databaseStore dataSourceRef="OAuthFvtDataSource" />
      </oauthProvider>
    
      <jdbcDriver id="DerbyEmbedded" libraryRef="DerbyLib" />
    
      <library id="DerbyLib" fileSetRef="DerbyFileset" />
    
      <fileset id="DerbyFileset" dir="${DERBY_JDBC_DRIVER_PATH}"
               includes="derby.jar" />
    
      <dataSource id="OAuthFvtDataSource" jndiName="jdbc/OAuth2DB"
                  jdbcDriverRef="DerbyEmbedded">
        <properties.derby.embedded databaseName="D:\oauth2db"
                                   createDatabase="create" />
      </dataSource>
    
      <webAppSecurity allowFailOverToBasicAuth="true" />
    
      <basicRegistry id="basic" realm="BasicRealm">
        <user name="testuser" password="testuserpwd" />
      </basicRegistry>
    
    </server>
  2. Set up a database and table to store the OAuth token and client.
    1. Create a database for persistent OAuth service. See the vendor documentation for database creation. In this example, the database name is D:\oauth2db.
    2. Create two OAuth tables as defined by the following SQL statements:
      ----- CREATE TABLES -----
      CREATE TABLE OAuthDBSchema.OAUTH20CACHE 
      (
        LOOKUPKEY VARCHAR(256) NOT NULL, 
        UNIQUEID VARCHAR(128) NOT NULL, 
        COMPONENTID VARCHAR(256) NOT NULL, 
        TYPE VARCHAR(64) NOT NULL, 
        SUBTYPE VARCHAR(64), 
        CREATEDAT BIGINT, 
        LIFETIME INT, 
        EXPIRES BIGINT, 
        TOKENSTRING VARCHAR(2048) NOT NULL, 
        CLIENTID VARCHAR(64) NOT NULL, 
        USERNAME VARCHAR(64) NOT NULL, 
        SCOPE VARCHAR(512) NOT NULL, 
        REDIRECTURI VARCHAR(2048), 
        STATEID VARCHAR(64) NOT NULL
      );
      
      CREATE TABLE OAuthDBSchema.OAUTH20CLIENTCONFIG 
      (
        COMPONENTID VARCHAR(256) NOT NULL, 
        CLIENTID VARCHAR(256) NOT NULL, 
        CLIENTSECRET VARCHAR(256), 
        DISPLAYNAME VARCHAR(256) NOT NULL, 
        REDIRECTURI VARCHAR(2048), 
        ENABLED INT
      );
      
      ----- ADD CONSTRAINTS -----
      ALTER TABLE OAuthDBSchema.OAUTH20CACHE 
        ADD CONSTRAINT PK_LOOKUPKEY PRIMARY KEY (LOOKUPKEY);
      
      ALTER TABLE OAuthDBSchema.OAUTH20CLIENTCONFIG 
        ADD CONSTRAINT PK_COMPIDCLIENTID PRIMARY KEY (COMPONENTID,CLIENTID);
      
      ----- CREATE INDEXES -----
      CREATE INDEX OAUTH20CACHE_EXPIRES ON OAUTHDBSCHEMA.OAUTH20CACHE (EXPIRES ASC);
  3. Configure WebSphere Application Server.

    Configure the WebSphere Application Server data source. You must set the data source Java Naming and Directory Interface (JNDI) name to be jdbc/OAuth2DB. The JNDI name must match the jndiName attribute of the <dataSource> element in the server.xml file. Enter the database name, for example, D:\oauth2db.

    For more information about the configuration of DB2® and Derby for OAuth persistent services, see IBM DB2 for persistent OAuth services and Derby database for persistent OAuth services. You can use them as a sample template to configure other databases.

  4. Add the registered OAuth clients to the database.

    To persist a client in a database, you must save the client to the database. The following SQL statements add the dbclient01 and dbclient02 OAuth clients to a Derby database:
    CONNECT 'jdbc:derby:D:\oauth2db';
    INSERT INTO OAuthDBSchema.OAUTH20CLIENTCONFIG VALUES 
    (
      'OAuthConfigDerby', 
      'dbclient01', 
      'secret', 
      'dbclient01', 
      'http://localhost:9080/oauthclient/redirect.jsp', 
      1
    ),
    (
      'OAuthConfigDerby', 
      'dbclient02', 
      'secret', 
      'dbclient02', 
      'http://localhost:9080/oauthclient/redirect.jsp', 
      1
    );
    DISCONNECT CURRENT;
    Fix Pack 8552 Note: The Componentid must be the same as the id of the oauthProvider element in the server.xml file.

Icon that indicates the type of topic Concept topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-express-iseries&topic=cwlp_oauth_sql
File name: cwlp_oauth_sql.html