Configuring user security for a native OAuth provider

Define the settings to use to extract the application users’ credentials, authenticate their identities, and grant authorization.

About this task

User security authenticates the user. It is required for the Implicit, Access code, and Resource owner - Password grant types. It is not used for the Application or Resource owner - JWT grant types.

One of the following roles is required to configure user security for a native OAuth Provider:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings:Manage permissions

You can select the user security settings page for a native OAuth provider immediately on completion of the creation operation detailed in Configuring a native OAuth provider, or you can update the user security settings for an existing native OAuth provider. If you want to update the user security settings for an existing native OAuth provider, complete the following steps before following the procedure described in this topic:

  1. Click Resources icon Resources > OAuth Providers.
  2. Select the required native OAuth provider.

Procedure

Perform the following steps to configure the user security settings for the OAuth Provider:

  1. Click User Security in the sidebar menu.
  2. Specify the following parameters for User Security. Define the settings to use to extract the application users’ credentials, authenticate their identities, and grant authorization. User Security is not required for the Application or Resource owner - JWT grant types. Click Next when done.
    Field Description
    Identity Extraction Determines how the user credential is extracted:
    • Basic Authentication - HTTP basic authentication (requires no additional configuration)
    • Default HTML Form - Use default login form for user name and password
    • DataPower API Gateway onlyContext variable - Specify which variable contains the user name and password. API Connect OAuth context variables as listed here API Connect context variables
    • Custom HTML Form - Enter the endpoint and select an optional TLS profile for a custom HTML form. For instructions on creating a custom form, see Creating a custom HTML login form for user security.
    • Redirect - Enter an endpoint to redirect to a third-party identity provider. For more information, see Authenticating and authorizing through a redirect URL.
    • DataPower API Gateway onlyDisabled - do not collect the user credential
    Note: If you use either the Default HTML Form or Redirect identity extraction methods, the response from the redirect endpoint must maintain the order of the query parameters before the state_nonce query parameter, otherwise the authorization fails.
    Authentication Authenticate application users with a user registry. Select an LDAP or Authentication URL user registry or create the SampleAuthURL User Registry.
    Authorization Various methods may be used to authorize application users. For a DataPower® API Gateway, the following methods for extracting the user credential are available:
    • Authenticated - Authorize authenticated users automatically.
    • Default HTML Form - Use default HTML form to authorize.

      If you select the Default HTML Form method, all scopes that are specified in the Scopes settings are added automatically to the authorization consent form.

    • Custom HTML Form - Enter the endpoint and select an optional TLS profile for a custom HTML form.
    • DataPower API Gateway onlyDisabled - Disable authorization.
  3. Click Save when done.

Results

Depending upon the visibility setting, the OAuth Provider can be used to secure the APIs in catalog.