WebSphere® DataPower firmware version 5.0 provided support for OAuth, including the configuration of an OAuth authentication service that can be used for authenticating OAuth tokens on the device itself. This provides a powerful mechanism for the rapid creation of this feature. Part 2 describes the fundamentals of the DataPower Web Token Service and demonstrates how to create one.
A token service is a service that issues security tokens. It negotiates trust between client applications and web services and removes the need for a direct relationship between clients and services.
DataPower supports a token service through objects like AAA Policy, Web Service Proxy, and so on. The Web Token Service (WTS) introduced in DataPower firmware version 5.0 provides a dedicated and simplified service to act as the token service using the existing functionality of the AAA object and other actions of a processing policy. It is a loop back service that can be configured as the token endpoint of an Authorization Server. For information about the authorization server, refer to Part 1 of this series, Introducing the OAuth 2.0 support within the DataPower firmware revision 5.0. The Web Token Service supports the standard policy rule so that customers can expand the functionalities using any of the multi-step actions, including, but not limited to, sign, encrypt, and so on.
Subsequent sections of this article will provide detailed steps to create and configure a Web Token Service.
You can create a Web Token Service either by using the provided wizard, which simplifies configuration, or without the wizard.
DataPower firmware V5.0.0 provides a wizard to ease the configuration of a Web Token Service. This wizard is customized to configure an OAuth authorization server with only a few clicks. The wizard takes input from the administrator and creates a processing policy that is required for WTS to be an OAuth authorization server. For information about the OAuth authorization server, refer to Part 1 of this series, Introducing the OAuth 2.0 support within the DataPower firmware revision 5.0. Note that you can modify the processing policy after the wizard exits. This section provides instructions on how to create a Web Token Service using the wizard.
- On the left side of the menu, navigate to Services > Web
Token Service > New Web Token Service, as shown in
Figure 1. Select the new Web Token Service
- Enter a name and click Next as shown in Figure
Figure 2. Enter a name for the Web Token Service
- Enter a port number and create an SSL proxy profile as shown in Figure
3. Click Add.
Figure 3. Create the listening handler by specifying the port and SSL proxy profile
- Click Next as shown in Figure 4.
Figure 4. Click Next
- The AAA Policy that will be used to handle the OAuth requests is
created. Refer to Part 3 of the series, Using the AAA and form-based login in DataPower OAuth protocol
support. If you have already created an AAA policy, choose
that from the drop down list and click Next. Note
that if the AAA Policy is not configured correctly to enable OAuth,
the wizard flags an error.
Figure 5. Select the AAA for the authorization server
- Click Commit as shown in Figure 6.
Figure 6. Commit the new Web Token Service
- Click Done as shown in Figure 7.
Figure 7. Click Done
- You can view the Web Token Service object created by the wizard by
navigating to Control Panel > Objects >Service
Configuration > Web Token Service, as shown in Figure
Figure 8. Viewing the Web Token Service
- You can also view the Web Token Service object's processing policy
created by the wizard. Notice that the Web Token Service wizard has
created a processing policy with the required actions. As shown in
Figure 9, it has created two rules:
/favicon.ioto ignore the icon requests sent by the browsers.
*(everything), which includes the "http-convert" action and the specified AAA policy action.
Figure 9. Web Token Service style policy
If the input AAA policy contained "HTML Forms Based Authentication" as the Extract identity (EI) method, then the wizard auto-creates three rules to handle the forms based on the login requests.
Part 3 of the series provides a sample configuration of WTS. You can download the sample configuration to understand how WTS can be used as an OAuth authorization server using an AAA policy configured to perform forms-based authentication.
You can configure WTS without using the wizard too, by navigating to Objects > Service Configuration > Web Token Service, or Services > Web Token Service > Edit Web Token Service.
All the configurations must be done manually by creating the processing policy with the required rules and validating if the AAA object is enabled for OAuth and so on.
The next section details each of the tabs in the Object view of the Web Token Service and how they can be configured.
The WTS configuration has three simple tabs, Main, Advanced, and Probe Settings, as shown in Figure 10. It supports HTTP and HTTPS front side handlers and allows the configuration of a processing policy.
Figure 10. Main, Advanced, and Probe Settings tabs
The Advanced tab allows configuration of the front side handler settings (see Figure 11). Note that the following HTTP methods and features are supported. However, they are not configurable.
Figure 11. Advanced tab of the Web Token Service
The third tab is the Probe Settings tab, which you can enable to debug requests received and processed by WTS.
The Web Token Service is typically used as the authorization server token endpoint. Note that WTS does not have a backend and, hence, it cannot be used as the enforcement point for a resource server.
WTS comes with a wizard to help you configure an OAuth authorization server. It is a simplified service and there are no complicated setups that are irrelevant to a token service. The wizard eases the configuration of form-based login for resource owner authentication in an OAuth protocol exchange.
This article explained the Web Token Service as provided in DataPower firmware V5.0.0. It provided instructions to create and configure WTS as a typical OAuth authorization service. Note that although the functionality provided by WTS is available in MPGW or XML Firewall services, the advantages of using WTS are its simplicity and the ease of configuration by using its wizard. You can also use WTS for other types of token exchange, as it is not limited to OAuth.
For additional information, see the rest of the article series as follows:
- Part 1: Introducing OAuth 2.0 support in DataPower firmware revision 5.0
- Part 3: Using AAA and form-based login in DataPower OAuth protocol support
- Part 4: Using DataPower OAuth 2.0 with the resource owner password credential
- Part 5: Using client credentials in a DataPower OAuth configuration
- Part 6: Using the authorization code grant in a DataPower OAuth configuration
- Part 7: Using WebSphere DataPower with Tivoli Federated Identity Manager to support OAuth 2.0
The following articles in the series will be available in the weeks to come:
- Part 8: Customizing the Websphere DataPower native support for OAuth scope, identity processing, and additional processing
- Part 9: Customizing the DataPower native support for OAuth authorization codes and access tokens
- Part 10: Troubleshooting DataPower OAuth protocol support
IBM WebSphere DataPower SOA Appliance Handbook
WebSphere DataPower library
developerWorks WebSphere DataPower zone
IETF Web Authorization
Protocol document (oauth)